tag:blogger.com,1999:blog-49594109437818323202024-02-21T08:28:28.146-06:00Hacker HurricaneInfoSec, Malware Archaeology, Blue Team Ninja, Logaholic, News, Rants, Updates and EducationHacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comBlogger252125tag:blogger.com,1999:blog-4959410943781832320.post-39020337931511416612019-08-06T08:10:00.000-05:002019-08-06T08:11:52.878-05:00The Windows Registry Auditing Cheat Sheet update! Aug 2019, v2.5<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="" data-pm-slice="1 1 []" style="white-space: pre-wrap;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvG-QdIMhjbxEgk25DCImedHWp_oYrDfIrUbRTV1Kh0SNbulp-hVWa26VihsX4tbYlAugaTsyih4n2UFDotPUq63QmzoD2K8PrO_2JewIqTtxsr9etQYTv-zMXwJSfR13MoB18N1IgPPY/s1600/Reg_Cheat_Sheet_Pic.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="1600" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvG-QdIMhjbxEgk25DCImedHWp_oYrDfIrUbRTV1Kh0SNbulp-hVWa26VihsX4tbYlAugaTsyih4n2UFDotPUq63QmzoD2K8PrO_2JewIqTtxsr9etQYTv-zMXwJSfR13MoB18N1IgPPY/s640/Reg_Cheat_Sheet_Pic.JPG" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The Windows Registry Auditing Cheat Sheet has been updated to include a few new items to monitor for malicious activity. Keep in mind when applying to the users space, that the current user (HKCU) is the one logged in. Any other users you want to set Registry auditing on you must do so under HKU/GUID, so you must know their user GUID or use a script that crawls all the GUID and applies the settings.</span></div>
<div class="" style="white-space: pre-wrap;">
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">You can get the new <a href="https://malwarearchaeology.com/cheat-sheets" target="_blank"><strong>Cheat Sheet HERE</strong></a>:</span></li>
</ul>
</div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-41722519258137508142018-07-12T08:10:00.002-05:002018-07-12T08:10:39.431-05:00Come learn how to hunt on Windows quickly - SANS Threat Hunting & IR Summit<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.sans.org/u/F72" target="_blank"><img border="0" data-original-height="301" data-original-width="576" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRQ56gDROcmowOrYFOEfT34LkJcC_Cm1Wmt2gtXEUvybnJnwdsy2ur35v32A7J3r33BNf1OOctnJkkBOP2zxJhVXDjzuvBzFvsF-WCWbnl742dcFhhOGfr_xBhLjj3Lm6HECTACHWfSvk/s320/800x418_THIR_Talks_Gough.jpg" width="320" /></a><span id="goog_1489147726"></span><a href="https://www.blogger.com/"></a><span id="goog_1489147727"></span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I am giving a talk at the SANS Threat Hunting & IR Summit in New Orleans Sept 6th & 7th. You Can get more information here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="http://www.sans.org/u/F72" target="_blank">SANS Threat Hunting & IR Summit in New Orleans Sept 6th & 7th</a></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">"<span style="font-size: 11pt;">This
is the fastest way I found to hunt for malicious activity on Windows endpoints</span>" will help people understand how to hunt and what to hunt for on Windows endpoints.</span></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-85978043942126721802018-04-21T12:36:00.003-05:002018-04-21T12:36:50.732-05:00Sample WinLogBeat.yml file for ELK and Humio users<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">We have published a sample WinLogBeat.yml file for ELK and Humio users to collect the right stuff and provide an example of how to exclude various events to collect less noise and make your log management experience easier.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This config can be expanded to collect more log events, or exclude more noisy normal events. Refer to the other Cheat Sheets for more information on items to collect. The Windows Logging Cheat Sheets may be found here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="https://www.malwarearchaeology.com/cheat-sheets" target="_blank">https://www.malwarearchaeology.com/cheat-sheets</a></span></li>
</ul>
<div>
<span style="font-family: Verdana, sans-serif;">You may find a copy of the sample WinLogBeat.yml file here:</span></div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="https://www.malwarearchaeology.com/logging" target="_blank">https://www.malwarearchaeology.com/logging</a></span></li>
</ul>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Try out Humio, a new Cloud and On-Prem logging solution. Humio is easy to use and they even offer a FREE version with 2GB of data with a 7 day retention. Perfect for the home user and lab to begin and expand on your Windows logging expertise. You can find Humio here:</span></div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="https://humio.com/" target="_blank">https://Humio.com</a></span></li>
</ul>
</div>
<div>
<span style="font-family: Verdana, sans-serif;">Watch for a "<b><i>Windows Humio Logging Cheat Sheet"</i></b> coming in the near future!!!</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Don't forget to send us your tips, suggestion and comments!!!</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">#Happy Hunting !!!</span></div>
</div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-71373177209376289072018-03-10T14:40:00.000-06:002018-03-10T14:47:43.696-06:00New Incident Response Podcast<div dir="ltr" style="text-align: left;" trbidi="on">
I have joined Brian Boettcher and started the "<b><i>Brakeing Down Incident Response</i></b>" podcast expanding the "<b><i>Brakeing Down Security</i></b>" podcast family.<br />
<br />
We will focus on practical application on incident response in what we do in our daily IR tasks in order for others to learn and apply more Fu to their jobs.<br />
<br />
So take a listen, send us comments and be sure to read the detailed show notes.<br />
<ul style="text-align: left;">
<li><a href="http://bdirpodcast.com/" target="_blank">BDIRPodcast.com</a></li>
</ul>
<div>
#Happy Hunting</div>
<br />
<br /></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-7348955676456705822017-10-23T11:09:00.002-05:002017-10-23T11:13:35.126-05:00Looking at APT28 latest Talos Security write up and how YOU could catch this type of behavior<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4adUr-bvmHeZ8ogMlAOFY4a36q_7B6zQRB7DGjkf4dTjMQrbRreIrhpPSJHJQt162od5TWjAKvriLBSPo98PyAOgXU5rJEHAvE4gb7INI83kxpIalbKKJdAq6C1xAwMrzsCJub4RhXx0/s1600/does-a-bear-leak-in-the-woods-23-638.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="359" data-original-width="638" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4adUr-bvmHeZ8ogMlAOFY4a36q_7B6zQRB7DGjkf4dTjMQrbRreIrhpPSJHJQt162od5TWjAKvriLBSPo98PyAOgXU5rJEHAvE4gb7INI83kxpIalbKKJdAq6C1xAwMrzsCJub4RhXx0/s320/does-a-bear-leak-in-the-woods-23-638.jpg" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The Cisco Talos Team just published a report on the latest APT28 malware that came in as a deceptive "Cyber Conflict U.S. Conference" flyer. You can read the article here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif; font-size: xx-small;"><a href="http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank">Talos Team - “Cyber Conflict” Decoy Document Used In Real Cyber Conflict report</a></span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;">I just wanted to capture some thoughts that come to mind when I read these types of reports and ask myself <b><i>"How can we detect this type of attack?"</i></b> There are some key take-ways from this report that would allow you to detect this type of attack fairly easily, or prevent it altogether since it used Word macros.</span><br />
<br />
<ol style="text-align: left;">
<li> Prevention - The email delivered a Microsoft Word document that used macros to infect the user. Prevent these types of attacks by 'Blocking Word Macros' using Group Policy!</li>
<li> Detection - Using Event ID 4688 with Command Line logging enabled you could trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal.</li>
<li> Detection - A Dll is used to infect the system using a batch file to load it which runs RunDll32. Alerts on RunDll32 using 4688 with Command Line logging could trigger on this behavior.</li>
<li> Detection - If you use Windows Firewall logging, which does NOT require using the Windows Firewall, you could detect the IPs used to communicate to the C2 server with 5156 events. Scan your environment for anyone else using the suspicious IPs. </li>
<li> Detection - Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key:</li>
</ol>
<br />
<blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;">
<br />
<br />
<li style="text-align: left;">HKCU\Environment\UserInitMprLogonScrip</li>
</blockquote>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">These types of attacks leave noise in well configured logs and can be detected, and in this case prevented by blocking macros for Word documents. You can use whatever solution you have to collect log data, <b>LOG-MD</b> of course can discover this type of attack if the logs are properly configured, but just searching AutoRuns and doing a Reg Compare would also gain you valuable data. Of course you need to configure your systems to collect the data locally in order to use it. Please read the '<b><i>Windows Logging Cheat Sheet</i></b>' and the other cheat sheets on what to configure. You can get them here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.malwarearchaeology.com/cheat-sheets/" target="_blank">Malware Archaeology Cheat Sheets</a></span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;">There is also a presentation I give on reducing/preventing malware/ransomware from phishing that can be found on the website as well:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.malwarearchaeology.com/presentations/" target="_blank">Defending Against Ransomware/malware and what can you do about it</a></span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;">And <b>LOG-MD</b> to collect logs, Autoruns, files, and registry data:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.log-md.com/" target="_blank">LOG-MD, The Log and Malicious Discovery tool</a></span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;">#Happy Hunting</span></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-7493148363777879762017-09-28T14:41:00.004-05:002017-09-29T10:43:30.321-05:00Microsoft is breaking our security improvements with the new Windows 10 cumulative updates/upgrades<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ujpsn4XAm3MSm144A3yIqKbroH5PSawd-EGkrWvUBzu_BWF1-ZAjkqs1vWXeFD8bE-9ZJ0GCqYI4FZ5iTsy4iLPMbcKp3w4G1FUk3IVbq_WA3Vu26bPRdpZQfcL_QT4zyAehkJF1tWE/s1600/Win+10+Patching.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="1283" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ujpsn4XAm3MSm144A3yIqKbroH5PSawd-EGkrWvUBzu_BWF1-ZAjkqs1vWXeFD8bE-9ZJ0GCqYI4FZ5iTsy4iLPMbcKp3w4G1FUk3IVbq_WA3Vu26bPRdpZQfcL_QT4zyAehkJF1tWE/s320/Win+10+Patching.jpg" width="320" /></a></div>
<br />
<span style="font-family: "verdana" , sans-serif;">Windows 10 has been touted as a more secure Windows. With Windows 10, Microsoft has changed the way systems are patched. No more ‘Patch Tuesday’ with a bunch of miscellaneous files or individual patch items numbering in the tens. Microsoft is now rolling up the patches into an actual Operating System upgrade referred to as “Windows 10 cumulative updates”. Some see this as a good thing, but it actually breaks settings many of us security people apply, or are recommending people apply, or worse have applied and are now removed due to the upgrade(s).</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNnGMzOoperoBWgiOkVVLf9-ObHpR_ANYvQr8vs-Ov6_XCVn3bcmqCRckHIlcQM_TBQBITgQv0_-H_cl3vMuTUKNUD0UzZB-Cief93SwDLiBmET87-8vI5EQVGtKwtZN3heUXrhRRwhTg/s1600/Default+Settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="650" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNnGMzOoperoBWgiOkVVLf9-ObHpR_ANYvQr8vs-Ov6_XCVn3bcmqCRckHIlcQM_TBQBITgQv0_-H_cl3vMuTUKNUD0UzZB-Cief93SwDLiBmET87-8vI5EQVGtKwtZN3heUXrhRRwhTg/s320/Default+Settings.png" width="320" /></a></div>
<br />
<span style="font-family: "verdana" , sans-serif;">Before continuing I think it is important to state that I do not feel the default configuration of Windows is at all secure enough for today’s security threats. It is not secure enough for home users, pro users, education users, or enterprise users. Microsoft is implementing many new security features with Windows 10, but completely failing at basic ‘<b><i>Security 101</i></b>’. Some can argue that compliance and standards address this by telling you what to set using Group Policy (GPO), but not everyone, nor does every system have Group Policy as an option. Home users (You, Mom & Dad, Kids, friends, etc.), Small and Medium Businesses (SMB’s), educational institutions, kiosks, labs, and many other systems purposefully do not use Group Policy. Expecting "Group Policy is the only way to control or apply basic security settings" is a flawed way of thinking in today’s security eco-system.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrRn-keSn9Ks757OfjaqpHp1Uk8uIQSy4pTxvr6Qpexx87V0PIltaZ5rK1JT2V5VzpKhEKj4IsuuYDjjXi78Ztc2CW98JcxRNQY6ioFGwNdFLvGzJ7pjBWkzCtObhmbfO97YqB0KP_FrQ/s1600/GPO+PShell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="166" data-original-width="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrRn-keSn9Ks757OfjaqpHp1Uk8uIQSy4pTxvr6Qpexx87V0PIltaZ5rK1JT2V5VzpKhEKj4IsuuYDjjXi78Ztc2CW98JcxRNQY6ioFGwNdFLvGzJ7pjBWkzCtObhmbfO97YqB0KP_FrQ/s1600/GPO+PShell.png" /></a></span></div>
<br />
<span style="font-family: "verdana" , sans-serif;">Without GPO forcing settings to each system, it is left to the system admin(s) or consultants to manually configure the system, or create a ‘gold image’ that has many of these settings built-in to the image that is being deployed. Many security hardening standards such as: the Center for Security (CIS) Benchmarks, US GCB’s, or our own ‘<b><i>Windows Logging Cheat Sheets</i></b>’ are meant to improve the basic security of a Windows system that is crucial for systems built today, or tomorrow.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7b7ML2TlfEYBeWN_E7XveD2hGklAO0U0avG3TJFKWRIhjG4ncaLb9zSgA6raOyGCu8rDn1Y3-M420YEQbnLI2GplkksB2A7sgk5ch5k6ww8ljVNsxmGpzn79ECLTXOwQcDszDmDwfyYs/s1600/Win+10+Secured.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="166" data-original-width="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7b7ML2TlfEYBeWN_E7XveD2hGklAO0U0avG3TJFKWRIhjG4ncaLb9zSgA6raOyGCu8rDn1Y3-M420YEQbnLI2GplkksB2A7sgk5ch5k6ww8ljVNsxmGpzn79ECLTXOwQcDszDmDwfyYs/s1600/Win+10+Secured.png" /></a></span></div>
<br />
<span style="font-family: "verdana" , sans-serif;">So what kind of things do us InfoSec people recommend and set to improve Windows security? Here is a list of a few things:</span><br />
<ol style="text-align: left;">
<li>Improved logging by setting over 50 items that are NOT set by default EVER</li>
<li>Increased log sizes in order to collect more than a few minutes or hours of logs, the goal is a week or longer</li>
<li>Enabling logs that are NEVER enabled by default, but crucial to catching malicious behavior</li>
<li>Change default file associations that are regularly used to infect systems due to insecure default configurations</li>
<li>Enable auditing of key directories to monitor for new or deleted files</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ZDmEmMsbSL00gHYBcus3MD4LcN8UI27Zj8MO9lSNPPmdNWbkxKRvgx0OntiPBdpfBH_3Xqv4xX5YpFdlZ1gEGbYorqSUiIhAkEVE5j1yy_6Tu8ZIlKxvjrAQ7G5Z8RfIxw91iOvJ4zU/s1600/Logging.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="525" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ZDmEmMsbSL00gHYBcus3MD4LcN8UI27Zj8MO9lSNPPmdNWbkxKRvgx0OntiPBdpfBH_3Xqv4xX5YpFdlZ1gEGbYorqSUiIhAkEVE5j1yy_6Tu8ZIlKxvjrAQ7G5Z8RfIxw91iOvJ4zU/s320/Logging.png" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Logging is important as it tells us what happens and how so we can fix or clean up an infection, and hopefully learn how the whole event happened to begin with. The goal, to hopefully avoid it from happening again. In order to gather this data, one must first enable the logging to collect that which we Incident Responders and Forensics people would want and need. Even if it is Mom and Dad, your Chiropractor, SMB’s, even corporate users need these settings and Group Policy is often not available to set and push them.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmnAXEZDFGTQaJqdNelpj3-P7B0s2oXye_KWLACa45p86b9OG5fs1OBR-dVive6Aw1rA8B3FDjnKGH9aC-vI5-XR3_milid6K0tRj9D8DXQTWhCfyAjUZFbQr4NgwSoxSuPpelllUjSiI/s1600/File_Assoc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="148" data-original-width="815" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmnAXEZDFGTQaJqdNelpj3-P7B0s2oXye_KWLACa45p86b9OG5fs1OBR-dVive6Aw1rA8B3FDjnKGH9aC-vI5-XR3_milid6K0tRj9D8DXQTWhCfyAjUZFbQr4NgwSoxSuPpelllUjSiI/s640/File_Assoc.JPG" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">File associations are, have been, and will be a major way users are so easily infected with malware and ransomware. Why? Because of the terrible default configuration that has left this vulnerability unaddressed since Windows 3.1. The malwarians know about these default configurations and with the recent WannaCry and Not Petya ransomware attacks, the malwarians continue to take advantage of these default file associations to infect systems. Windows users, system administrators, and even many InfoSec Professionals still have no clue how easily malware and ransomware can be significantly reduced, if not almost eliminated by changing a few file associations.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPu3ODlkTalni214DfPv4vZIXiO72xyIdjExkS2QwcuY9yVLVVMhZF9Zgw_7BIUvk5qCqPcqjwd1T2_7xyyQznO_2_DbBCDd-EAkDL5bY_ci1MQnZxwibVyXkDDD3Jx9pGqbrHnUYMBuo/s1600/Win+10+fixed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="672" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPu3ODlkTalni214DfPv4vZIXiO72xyIdjExkS2QwcuY9yVLVVMhZF9Zgw_7BIUvk5qCqPcqjwd1T2_7xyyQznO_2_DbBCDd-EAkDL5bY_ci1MQnZxwibVyXkDDD3Jx9pGqbrHnUYMBuo/s320/Win+10+fixed.png" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Now back to HOW Microsoft is breaking security of Windows 10 with their cumulative updates.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtYzIvtIoNXpjqYspwN15m8Hs1nWd1hWHQwFcyYNaFIH8ZyvfTJTJLbKqNXVZedj9d0YoRvj9mWS_Q3s4GcSas4CgMrI3v7w_Eq9b5-yruaaT4qAaOsE_v2FIgpqB6Mwm8WCa-XUYBSXM/s1600/WU-Update.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="385" data-original-width="1036" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtYzIvtIoNXpjqYspwN15m8Hs1nWd1hWHQwFcyYNaFIH8ZyvfTJTJLbKqNXVZedj9d0YoRvj9mWS_Q3s4GcSas4CgMrI3v7w_Eq9b5-yruaaT4qAaOsE_v2FIgpqB6Mwm8WCa-XUYBSXM/s320/WU-Update.png" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">When Microsoft applies one of their new “cumulative updates” they apply a security policy to the system at the end of the upgrade. So why is this an issue? </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">If you alter any of the following items the settings are reset to the grossly inadequate Windows default:</span><br />
<ol style="text-align: left;">
<li>Log sizes are reset to 20,480kb, sadly inadequate</li>
<li>The Task Scheduler log and others are disabled if they were enabled</li>
<li>File associations are reset to defaults if they were changed</li>
<li>File auditing set on folders are removed</li>
<li>Data that was in the logs from larger settings is rolled out with reset of log sizes</li>
</ol>
<span style="font-family: "verdana" , sans-serif;">These are ones I currently know about, there are likely more. So far there has been three (3) of them since Windows 10 shipped.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Here are some screen shots of the settings AFTER the Patch/Cumulative upgrade:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Application Log Size:</span><br />
<ul style="text-align: left;">
<li>Before - 256,000</li>
<li>After - 20,480</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFG8dCi3F9ZZS8WczNUScmQgj3Nk7bQJEpPUqc8lzgzcaru4ODNPaizehJu54PxwfBzxwR0uRJgE1FRv1iZ54twwJVWHBhXOx0oAu0pvZNBpaycfZcK9FRUnuZJu7brlrfAgBRU7HYPLg/s1600/App_Log_Size_Change.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="472" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFG8dCi3F9ZZS8WczNUScmQgj3Nk7bQJEpPUqc8lzgzcaru4ODNPaizehJu54PxwfBzxwR0uRJgE1FRv1iZ54twwJVWHBhXOx0oAu0pvZNBpaycfZcK9FRUnuZJu7brlrfAgBRU7HYPLg/s320/App_Log_Size_Change.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;">Security Log Size:</span><br />
<ul>
<li>Before - 1,000,000</li>
<li>After - 20,480</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKAZVJE7mSwyI444gsu9hwJLEOTKyhf2rpYxdksEzCuvqSJKJ_0EyNcs7S83mldFDfuopcomABewp6enN7Vsi2Ij0ayAEC8rKz15VNLHqPgM188Op6F4yzdWwlHX9GRh0NN4zqRpIXZuw/s1600/Sec_Log_Size_Change.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="453" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKAZVJE7mSwyI444gsu9hwJLEOTKyhf2rpYxdksEzCuvqSJKJ_0EyNcs7S83mldFDfuopcomABewp6enN7Vsi2Ij0ayAEC8rKz15VNLHqPgM188Op6F4yzdWwlHX9GRh0NN4zqRpIXZuw/s320/Sec_Log_Size_Change.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;">System Log Size:</span><br />
<ul>
<li>Before - 256,000</li>
<li>After - 20,480</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQS1Z3XR8-ctG5ESuZqIHRjHwsO0AvIMGFmhYbkEdA9P_JiRdyJcnIc5PdhrSDDzcj_A_NI8yJYY5GWSlB7jgEpN4rL1C2A3USLoPEM9FJzW1E7MwltI-IZuATcUG2XXpd8maYyETzbY4/s1600/System_Log_Size_Change.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="454" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQS1Z3XR8-ctG5ESuZqIHRjHwsO0AvIMGFmhYbkEdA9P_JiRdyJcnIc5PdhrSDDzcj_A_NI8yJYY5GWSlB7jgEpN4rL1C2A3USLoPEM9FJzW1E7MwltI-IZuATcUG2XXpd8maYyETzbY4/s320/System_Log_Size_Change.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;">PowerShell/Operational Log Size:</span><br />
<ul>
<li>Before - 500,000</li>
<li>After - 15,360</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyBJDZDj2_l5fzUJ9pVysgM0waBFjCgFMTVSzw03Zmy69nDG1BHT5_4gmvc7YSoUfhy-aj5EtNGwKpInEozpb8mtsD6M45WmkNOdjiWhHtF3zgHuyGBP36yStuHsh1LZ53HwVYwyS6rbI/s1600/Win_PS_Log_Size_Change.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="519" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyBJDZDj2_l5fzUJ9pVysgM0waBFjCgFMTVSzw03Zmy69nDG1BHT5_4gmvc7YSoUfhy-aj5EtNGwKpInEozpb8mtsD6M45WmkNOdjiWhHtF3zgHuyGBP36yStuHsh1LZ53HwVYwyS6rbI/s320/Win_PS_Log_Size_Change.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Windows PowerShell Log Size:</span><br />
<ul>
<li>Before - 500,000</li>
<li>After - 15,360</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhSZj_aYS_zU_VNNbsFUpbG9gk1J-nxbLu-I7XKbzicAdxqSxG2364d2gOdiYhd1HYkSojwnnMolttMvL7rn0WkL4JPj0tHxjoc0T1Ene5XpNXv9mxluTlHj1ekCVc39bN_4KNSK3NO50/s1600/PS_Opp_Log_Size_Change.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="421" data-original-width="616" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhSZj_aYS_zU_VNNbsFUpbG9gk1J-nxbLu-I7XKbzicAdxqSxG2364d2gOdiYhd1HYkSojwnnMolttMvL7rn0WkL4JPj0tHxjoc0T1Ene5XpNXv9mxluTlHj1ekCVc39bN_4KNSK3NO50/s320/PS_Opp_Log_Size_Change.JPG" width="320" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">TaskScheduler Log:</span><br />
<ul>
<li>Before - Enabled</li>
<li>After - Disabled</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwqbDBummoJm0C8dtFMXzvbqeZgSpMkbwHtJl4uYHVfOleWRN1ZwfPzdfMIEk7U2mSQ4EEn6-8vaa1ODqzqbSW7DR_17zXXlWLUHsjafR84hOKUc45XFRsSIUJDQURhYs2FH01KHZ4eo/s1600/Log_Disabled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="351" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwqbDBummoJm0C8dtFMXzvbqeZgSpMkbwHtJl4uYHVfOleWRN1ZwfPzdfMIEk7U2mSQ4EEn6-8vaa1ODqzqbSW7DR_17zXXlWLUHsjafR84hOKUc45XFRsSIUJDQURhYs2FH01KHZ4eo/s320/Log_Disabled.jpg" width="272" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">What the C:\Users Folder Auditing was BEFORE the upgrade:</span><br />
<ul>
<li>Everyone for adds and deletes</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-4dWtHSED_Bm0QCQdiBnJSlXIn1W2SN6uFhyphenhyphenmI8KvJPZhbaSwdV2iISpUoBPnDTGThMj8Zs_kF-zK9M_3TRfTeQ_DAWbtHawZ4_ARqMZOLdQ6JoAK-xtKURWASCuJQUCWT6J3vVBPKb0/s1600/File_Audit_LocalLow_OK.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="478" data-original-width="738" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-4dWtHSED_Bm0QCQdiBnJSlXIn1W2SN6uFhyphenhyphenmI8KvJPZhbaSwdV2iISpUoBPnDTGThMj8Zs_kF-zK9M_3TRfTeQ_DAWbtHawZ4_ARqMZOLdQ6JoAK-xtKURWASCuJQUCWT6J3vVBPKb0/s320/File_Audit_LocalLow_OK.JPG" width="320" /></a></div>
<div>
<br /></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Folder Auditing of C:\Users\<username>\Local</span><br />
<ul>
<li>Before - Everyone for adds and deletes</li>
<li>After - nothing</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMb79nvYyE3hvvys8cm4zkxvifVM0NkdW23orMfsh-9aRbriyYc_ohm7cRX9AXXqqWLIbrJtLaP8EQNx_MfyIMUa3B7nSw-w_BtsWtXXTFjNkmtvAoc6YMozRkbwNWalhJ-cabTZ9_Hcs/s1600/File_Audit_Local.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="479" data-original-width="695" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMb79nvYyE3hvvys8cm4zkxvifVM0NkdW23orMfsh-9aRbriyYc_ohm7cRX9AXXqqWLIbrJtLaP8EQNx_MfyIMUa3B7nSw-w_BtsWtXXTFjNkmtvAoc6YMozRkbwNWalhJ-cabTZ9_Hcs/s320/File_Audit_Local.JPG" width="320" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Folder Auditing of C:\Users\<username>\Local</span></div>
<div>
<ul>
<li>Before - Everyone for adds and deletes</li>
<li>After - nothing</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgES2W1Z0zNyj_T5XMifNntq3OEci4mB9IySEMf1jpYpIot8Bblc0NxE6Z_RTUdMca9z2uDssHKBGAvU3VIzY_LW5dtXsdGK5Aid-5S9CsQxbLkguyV0n0Z7fxUrbz5LXFu2Y9RRaS-PIQ/s1600/File_Audit_Roaming.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="474" data-original-width="691" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgES2W1Z0zNyj_T5XMifNntq3OEci4mB9IySEMf1jpYpIot8Bblc0NxE6Z_RTUdMca9z2uDssHKBGAvU3VIzY_LW5dtXsdGK5Aid-5S9CsQxbLkguyV0n0Z7fxUrbz5LXFu2Y9RRaS-PIQ/s320/File_Audit_Roaming.JPG" width="320" /></a></div>
<div>
<br /></div>
<span style="font-family: "verdana" , sans-serif;">File Associations:</span><br />
<br />
<ul style="text-align: left;">
<li>Before - Set to Notepad.exe</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0UkztjUELYdgiyfYhmBsmNY8OyouxPw5er8VHNhHmSXk4XMY_NsYyOt_1hDEP4q_cTfdsJuS17QESpDUhGD4hS9uiaf6wdoHTZoPeFooEynv6mzkhbbP82ZKeOYhf-UaPDeTcaajiNY0/s1600/Notepad_File_Assoc.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="155" data-original-width="527" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0UkztjUELYdgiyfYhmBsmNY8OyouxPw5er8VHNhHmSXk4XMY_NsYyOt_1hDEP4q_cTfdsJuS17QESpDUhGD4hS9uiaf6wdoHTZoPeFooEynv6mzkhbbP82ZKeOYhf-UaPDeTcaajiNY0/s400/Notepad_File_Assoc.jpg" width="400" /></a></div>
<br />
<ul style="text-align: left;">
<li>After - Set to default script engine</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxRNNU3F7vVengGLacM-g_nEKw6BHw126129fFzSOMtTMRQ9Sx6DT3nDKuaqN5L4crKiVTjIGuCsnbgn96QX4esYxK4XSOM6fqgxl7yNhpwXew7wSpFCMYEW5VrU3kCicigGR5h9KSHIo/s1600/File_Assoc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="148" data-original-width="815" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxRNNU3F7vVengGLacM-g_nEKw6BHw126129fFzSOMtTMRQ9Sx6DT3nDKuaqN5L4crKiVTjIGuCsnbgn96QX4esYxK4XSOM6fqgxl7yNhpwXew7wSpFCMYEW5VrU3kCicigGR5h9KSHIo/s400/File_Assoc.JPG" width="400" /></a></div>
<br />
<span style="font-family: "verdana" , sans-serif;">So what are the ramifications of these changes?</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrfyqPo2Yhl5zbp5iADOv2jZN-IMe_f1GsLC_1ZJC1u9VDDJCPXy6mMjE3GzO2pZ_J-h9fl5E7kjJzsNe0N7ihDBthYRJlSIrFnZLFpvGjm3Xckpy7DFsaz73L5bt3cqiQEd0PkTqLApI/s1600/Header_Web_Page.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="103" data-original-width="521" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrfyqPo2Yhl5zbp5iADOv2jZN-IMe_f1GsLC_1ZJC1u9VDDJCPXy6mMjE3GzO2pZ_J-h9fl5E7kjJzsNe0N7ihDBthYRJlSIrFnZLFpvGjm3Xckpy7DFsaz73L5bt3cqiQEd0PkTqLApI/s320/Header_Web_Page.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;">While investigating an incident, I tried to use <b><i>LOG-MD</i></b> to harvest the log data and discovered this issue. I am REALLY glad we built this audit logic into <b style="font-style: italic;">LOG-MD</b> by design! Maybe we should call this feature the “<b><i>Post Windows 10 Update Security Settings Validation Tool</i></b>”. Unfortunately <b><i>LOG-MD</i></b> is designed <b><i>not</i></b> to collect log data unless the system is compliant to the settings in the ‘<b><i>Windows Logging Cheat Sheet</i></b>’. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The data we all want and need was in the log before the “cumulative update”. After the “cumulative update” was applied, the data that was there the day before was rotated out! In addition it was discovered folders being audited to collect file drops malware created were no longer set and events being collected. Also significant was the File Associations that were altered to prevent several malicious file types from executing when clicked on by the user were reset to once again execute the script engine defaults.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxRNNU3F7vVengGLacM-g_nEKw6BHw126129fFzSOMtTMRQ9Sx6DT3nDKuaqN5L4crKiVTjIGuCsnbgn96QX4esYxK4XSOM6fqgxl7yNhpwXew7wSpFCMYEW5VrU3kCicigGR5h9KSHIo/s1600/File_Assoc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="148" data-original-width="815" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxRNNU3F7vVengGLacM-g_nEKw6BHw126129fFzSOMtTMRQ9Sx6DT3nDKuaqN5L4crKiVTjIGuCsnbgn96QX4esYxK4XSOM6fqgxl7yNhpwXew7wSpFCMYEW5VrU3kCicigGR5h9KSHIo/s320/File_Assoc.JPG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">If this were my chiropractor that accidentally clicked a <b><i>.js</i></b> file, it would have detonated the malicious payload. If I were to open the logs and look at what happened, it would have been gone before I arrived on-site. I present a “How to avoid Ransomware” talk at many security conferences to educate people on the risks and how to reduce it, while providing more log data when an investigation is warranted. </span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Testing these security improvements in our malware lab clearly showed these log, file association and audit settings are crucial to reducing risk from a user clicking the wrong file type and having access to the data in the logs that could explain what happened, and hopefully remediate the system back to a normal state quickly.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTIwvbggYNktQVDw4BulC8Lo7FC4UoG2i0qkTiSNut-OGE3Vfhgoe7DNJ2G7yLKzqhdUOeex-khw518G-ZqEIzZjOphnAc7NBAT7j5-F2NalUig4sgtGkmEGQGVbb2FDpckJMVxldp-xY/s1600/Disclose.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="171" data-original-width="540" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTIwvbggYNktQVDw4BulC8Lo7FC4UoG2i0qkTiSNut-OGE3Vfhgoe7DNJ2G7yLKzqhdUOeex-khw518G-ZqEIzZjOphnAc7NBAT7j5-F2NalUig4sgtGkmEGQGVbb2FDpckJMVxldp-xY/s320/Disclose.jpg" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I have provided this information to Microsoft in hopes that they research, investigate and address this issue to stop this weakening of security following a patch cycle that is theoretically supposed to increase security. Hopefully they will address the issue and fix this terribly insecure oversight.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Because of this ill side-effect, I have provided a script that will set these items to their recommended desired state and settings from the ‘<b><i>Windows Logging Cheat Sheet</i></b>’ that you can tweak to your needs. The script will set the following file associations to open <b><i>Notepad</i></b> versus the default script engine that will detonate malicious payload if a user double-clicks a malicious email attachment:</span><br />
<ul style="text-align: left;">
<li>.js, .jse, .wsf, .wsh, .vbe, .vbs, .hta, .pif</li>
</ul>
<span style="font-family: "verdana" , sans-serif;">The log sizes are set to the following:</span><br />
<ul style="text-align: left;">
<li>Application and System – 256,000kb</li>
<li>Security – 1,000,000kb</li>
<li>Windows PowerShell – 500,000kb</li>
<li>PowerShell/Operational – 500,000kb</li>
</ul>
<span style="font-family: "verdana" , sans-serif;">The following log is enabled:</span><br />
<ul style="text-align: left;">
<li>TaskScheduler</li>
</ul>
<span style="font-family: "verdana" , sans-serif;">Optionally, the following folder auditing can be enabled if you choose, follow the '<b><i>Windows File Auditing Cheat Sheet</i></b>' on what you should audit by default:</span><br />
<ul style="text-align: left;">
<li>C:\Users\<username>\AppData\Local</li>
<li>C:\Users\<username>\AppData\Roaming</li>
<li>C:\Users\Public</li>
</ul>
<span style="font-family: "verdana" , sans-serif;">The script can be scheduled to run when a user logs in, every 15 minutes, or added to the users <b><i>Startup</i></b> folder, but the user must be an administrator to alter the log settings, and why scheduling a task would be the best option as that will run with elevated rights.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">You can find the script on the website:</span><br />
<ul style="text-align: left;">
<li><a href="https://www.malwarearchaeology.com/logging" target="_blank">https://www.malwarearchaeology.com/logging</a></li>
</ul>
<div>
<span style="font-family: "verdana" , sans-serif;">You can find several cheat sheets for Windows logging on the website as well:</span></div>
<div>
<ul style="text-align: left;">
<li><a href="https://www.malwarearchaeology.com/cheat-sheets" target="_blank">https://www.malwarearchaeology.com/cheat-sheets</a></li>
</ul>
</div>
<br />
<span style="font-family: "verdana" , sans-serif;">And the tool we discovered this issue with, <b><i>LOG-MD</i></b> is found here:</span><br />
<ul style="text-align: left;">
<li><a href="https://www.log-md.com/" target="_blank">https://www.log-md.com</a></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;">#HappyHunting</span><br />
<br />
<br /></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-21762954449693422492017-05-01T14:01:00.000-05:002017-05-03T06:58:10.139-05:00Fileless Malware? Not so fast, let's consider new terms<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">There
is a lot of discussion lately about 'fileless malware', also referred
to as 'living off the land', 'memory only', or 'non-malware attacks' . I do
not necessarily agree with this simplistic classification and feel we
need to expand what we are calling these attacks to better understand
the attack, and thus better detect and defend against them.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
</div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Cylance recently put out an article that listed a '<b><i>fileless malware attack chain</i></b>', below is their "Malware Attack Chain" from the article:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaSd0fuItW2ua4U5xSezBtadmW2ruro9y4iOINxRbgHFwkn9Q-4fqw40hHGvp-FQjspCwkmZW_NEUIOMtUzc6wJvw5xogU7M2EpK0ufy1FpZNplZMPYPq7gEDNlVdjtKK8MXWDJ3tG7ME/s1600/Cylance+Fig7-fileless_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaSd0fuItW2ua4U5xSezBtadmW2ruro9y4iOINxRbgHFwkn9Q-4fqw40hHGvp-FQjspCwkmZW_NEUIOMtUzc6wJvw5xogU7M2EpK0ufy1FpZNplZMPYPq7gEDNlVdjtKK8MXWDJ3tG7ME/s400/Cylance+Fig7-fileless_malware.png" width="400" /></a></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;"><br /></span></div>
<div style="line-height: normal;">
</div>
<ul style="text-align: left;">
<li><span style="font-family: "helvetica";"><a href="https://www.cylance.com/en_us/blog/threat-spotlight-the-truth-about-fileless-malware.html" target="_blank">Cylance - Threat Spotlight: - The Truth about Fileless Malware</a></span></li>
</ul>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Being
a defender that spends most of the time performing detection and
response duties, I would like to suggest some new concepts to better
separate what malware today is doing versus generically calling it
'<b><i>fileless</i></b>' which is misleading and does not help us understand the
method of the attack, which would also help us detect and defend against
them, which is the ultimate goal.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">I
would like to introduce a new "<b><i>Malware Archaeology Malware Attack Chain</i></b>" to incorporate the
new proposed concepts. Let's start with the word malware, which is
meant to stand for 'malicious software'. Let's take this term and
modernize it to reflect the evolution of today's malware by aligning it
to the ways we would detect and defend against what the malwarians are
doing within the attack, whatever type of malware used, which includes
the fileless component.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">So
what do the vendors mean when they say 'fileless malware'? Well, I
think this may vary by vendor and researcher, but generally it is meant
to indicate that once a system is fully infected, there are no files
remaining on disk that can be found while the system is running and the
malware is active.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">We
should consider that there is more to an infection than the final
infected state, because there is! The stages or ways the system is
infected and persists should be the focus to better detect and respond,
and perform more focused Incident Response.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Let's
take a typical malware infection and walk through the steps or stages
of the infection. We will use a an attack that was received via email,
like the above Cylance article used.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<ol style="text-align: left;">
<li>Email received and opened</li>
<li>User double clicks an attachment or downloads a file via a URL in the email</li>
<li>The system gets infected executing all the needed steps by downloading any needed files</li>
<li>Executing the malware components</li>
<li>Adding, changing or deleting files</li>
<li>Creating some form of persistence on the system</li>
<li>Running Malware behavior</li>
<li>Re-Infection after a reboot</li>
<li>Re-Infection behavior</li>
<li>Network behavior</li>
</ol>
<br />
<br />
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Now
let's give names to some of these steps so we can define what they are
and how they can vary to include a "fileless" type of malware infection.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">How
about the delivery method, in this case Email. How about to better
know the method of attack delivery something more descriptive like;</span></div>
<div style="font-size: 12px; line-height: normal;">
<br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">EmailWare</span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">URLWare, or WebWare</span></li>
</ul>
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Once
the download has begun there are many things that happen, starting with
the way the infection is delivered, downloaded and initially executed.
How about we call this stage;</span></div>
<div style="font-size: 12px; line-height: normal;">
<br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">InfectWare</span></li>
</ul>
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">This
would include how the system initially gets infected including the
noise made that properly configured logs would capture. Whether it used
built-in utilities, initial executions of binaries, file and
registry changes, and everything that can be detected during the initial
infection, the logs could capture it. This can include, as some fileless malware reports mention,
the dropping, execution and deletion of files. Which to me negates the generic term calling it 'fileless', but we will ignore this point for the time
being. This stage I propose it be named "<b><i>InfectWare</i></b>".</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">If files are used, and remain on disk after the infection is complete, we can refer to this stage as;</span></div>
<div style="font-size: 12px; line-height: normal;">
<br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">FileWare </span></li>
</ul>
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">To understand that files are involved at some point during the infection, even if they get deleted after the persistence. If the files were deleted after the initial infection, we can refer to this as:</span><br />
<br />
<ul style="text-align: left;">
<li>DeletedWare</li>
</ul>
</div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Now
the persistence can have many names since there are so many ways to
persist on a Windows system. For example; A Simple run key where files
remain on disk is a typical malware infection, but we are seeing more
methods of persistence with the evolution of malware. So we need a new
way to refer to these infection methods. There are many forms that are
generically referred to as 'fileless malware', so let's give it a better, more descriptive name so we can better focus detection and response.
So let's consider these names to better describe 'fileless malware';</span></div>
<div style="font-size: 12px; line-height: normal;">
<br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">RegWare - Malware that hides in the registry</span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">WMIWare - Malware that that hides in the WMI database </span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">PSWare - Malware that utilizes PoserShell</span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">BootWare - Malware that hides in a systems boot sector</span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">Etc...</span></li>
</ul>
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<br />
<span style="font-size: 12pt;"></span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">Now
that we have some new terms we can now add clarification to malicious
attacks and add much needed context to the "<b><i>Malware Attack Chain</i></b>".
Let's add these new terms to the "<b><i>Malware Archaeology Malware Attack Chain</i></b>" and we get more
information to help us detect and respond and even understand more where
to look, and what for.</span></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb_Ammu2ocusIRiSCvWu_j7GOkM7oRlwH0GZJnLbgjUCh9SafSXS0ulKpeSiJi9ImAlxZCr1jnjYtNDRbxIMmGSzKJl7aAr0ZBHYDZEJiDHAvxh__dj8xbs5u_sW_tlen7O9lu9QTksDY/s1600/MW+Arch+Malware+Attack+Chain.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb_Ammu2ocusIRiSCvWu_j7GOkM7oRlwH0GZJnLbgjUCh9SafSXS0ulKpeSiJi9ImAlxZCr1jnjYtNDRbxIMmGSzKJl7aAr0ZBHYDZEJiDHAvxh__dj8xbs5u_sW_tlen7O9lu9QTksDY/s400/MW+Arch+Malware+Attack+Chain.JPG" width="400" /></a></div>
<div style="line-height: normal; min-height: 13.8px;">
<div style="font-family: helvetica; font-size: 12px;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Now that we have more terms to describe what "fileless" is, fileless malware can be demystified, not as scary, and would be better able to detect and respond to this type of threat using the right tool(s) to hunt for the artifacts.</span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">For example; <b><i><a href="https://www.imfsecurity.com/" target="_blank">LOG-MD-Professional</a></i></b> can search the registry for large registry keys, PowerShell Logs, and also locked files which is a new tactic to block binaries from being inspected. <b><i>LOG-MD</i></b> also has an AutoRuns feature that can discover the majority of persistence locations. Other tools and scripts can focus at WMI persistence or other interesting bits. Now we at least can get direction at where to look for fileless malware and better improve our detection abilities.</span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">We can also use this logic to evaluation Next Generation Anti-Virus to EndPoint Detection and Response (EDT/EDTR) tools.</span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Happy Hunting!</span></div>
</div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal; min-height: 13.8px;">
<span style="font-size: 12pt;"></span><br /></div>
<h2 style="line-height: normal; min-height: 13.8px; text-align: left;">
<span style="font-family: "verdana" , sans-serif; font-size: small;">PodCast:</span></h2>
<div>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="http://brakeingsecurity.com/2017-016-fileless_malware-and-reclassifying-malware-to-suit-your-needs" target="_blank">Brakeing Down Security PodCast: "Fileless Malware" - 2017-016</a></span></li>
</ul>
</div>
<h2 style="line-height: normal; min-height: 13.8px; text-align: left;">
<span style="font-family: "verdana" , sans-serif; font-size: small;">References:</span></h2>
<div style="text-align: left;">
</div>
<ul>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.cylance.com/en_us/blog/threat-spotlight-the-truth-about-fileless-malware.html" target="_blank">Cylance - Threat Spotlight: - The Truth about Fileless Malware</a></span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/" target="_blank">Carbon Black - Non Malware Attacks</a></span></li>
</ul>
<ul>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/" target="_blank">Kaspersky - Fileless attacks against enterprise networks</a></span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/" target="_blank">arsTECHNICA - A rash of invisible. fileless malware is infecting banks around the globe</a></span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="http://thehackernews.com/2017/03/powershell-dns-malware.html" target="_blank">The Hacker News - New Fileless Malware uses DNS queries to receive PowerShell commands</a></span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.tripwire.com/state-of-security/off-topic/is-fileless-malware-really-fileless/" target="_blank">TripWire - Is Fileless Malware really fileless?</a></span></li>
</ul>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://www.wired.com/2017/02/say-hello-super-stealthy-malware-thats-going-mainstream/" target="_blank">WIRED - Say Hello to the super stealthy malware that's going mainstream</a></span></li>
</ul>
<div style="font-size: 12px; line-height: normal;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
</div>
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<span style="font-size: 12pt;">#InfoSec #MalwareArchaeology #LOG-MD</span></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-55019569362403559982016-10-24T19:46:00.000-05:002016-10-24T19:48:57.988-05:00The Windows Logging, File and Registry Auditing Cheat Sheets updated for Windows 10 and some cleanup and additions<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.malwarearchaeology.com/cheat-sheets/" target="_blank"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTd05EeMWF0GmZvnRHW5iiDvDYXNGWiL4gDggv8m64cOLdufYlD2EMdxgO5Q-ypC2B8T-ge_8lqgaQBI9jCjlpDhA83h763dTGwRYGrTiUL04GUKSKZVTZMUu_FxadSdjo8KiRFqL3fBM/s320/Win+Logging+CS+OCt+2016.JPG" width="255" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "verdana" , sans-serif;">The 'Windows Logging Cheat Sheet', 'Windows File Auditing Cheat Sheet' and 'Registry Auditing Cheat Sheet' have been updated for 2016. The cheat sheets have been updated in part due to auditing improvments added by the 'Windows 10 Anniversary Update' released earlier this year. We also took the opportunity to do some cleanup and add more autorun keys to the registry auditing cheat sheet. Updates are easy to spot, just look for '<b><i>new</i></b>'.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="http://www.malwarearchaeology.com/cheat-sheets/" target="_blank">The Cheat Sheets can be found here:</a></span></li>
</ul>
<br />
<br />
<span style="font-family: "verdana" , sans-serif;">We also post the cheat sheet on SlideShare with our presentations, just search for "LOG-MD" and/or "MalwareArchaeology" </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">LOG-MD is currently being updated to incorporate the changes, so watch for an announcement soon !</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">You can get the "<b><i>LOG-MD Free edition</i></b>" here:</span><br />
<br />
<ul style="text-align: left;">
<li> <span style="font-family: Verdana, sans-serif;"><b><a href="http://www.log-md.com/" target="_blank">LOG-MD.com</a></b></span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Happy Hunting!</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">#InfoSec, #MalwareArchaeology</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-46167318277406281182016-09-15T00:59:00.003-05:002017-06-23T10:31:14.248-05:00Avoiding Ransomware with built in basic changes<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQY5HjMFgHC8OFw4JDjBnepvoWRNyi90VCLCAWmHGIKBiOf24WIGiXV2UvSLAQbwz4VtQThxkLp_HW-tuq4l8uWTjJVq1xoqzAnavFczE9YeW4LQYrnMqFRsswCJZG220Uoxu7xPx2T_o/s1600/locky-ransomware-100645181-large.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQY5HjMFgHC8OFw4JDjBnepvoWRNyi90VCLCAWmHGIKBiOf24WIGiXV2UvSLAQbwz4VtQThxkLp_HW-tuq4l8uWTjJVq1xoqzAnavFczE9YeW4LQYrnMqFRsswCJZG220Uoxu7xPx2T_o/s400/locky-ransomware-100645181-large.jpg" width="400" /></a></div>
<br />
<br />
<span style="font-family: "verdana" , sans-serif;">Ransomware is a pain for those that have been unfortunate to get infected or had to respond to a ransomware event. While presenting at ISC2 Congress ransomeware was a hot topic and I was asked what can you do to avoid users getting infected? Notice I am saying "avoid" versus "prevent". Prevention is difficult due to the constant changes by malware creators to get people to open the malware. Avoidance means a reduction, not 100% prevention.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Turns out there are a couple easy things you can do that are built into Windows and FREE, just add a little effort that will drastically reduce the ransomware infections. First, let's look at how users get ransomeware in the first place.</span><br />
<br />
<h4 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Drive by surfing:</span></h4>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">While surfing the Internet ransomeware can infect a computer when a person just visits a compromised website. A person does not have to do anything other than visit the wrong website at the wrong time to get infected.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h4 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Drive by RansomWare avoidance:</span></h4>
<span style="font-family: "verdana" , sans-serif;">I tell people to do the following things... </span><br />
<ol style="text-align: left;"><span style="font-family: "verdana" , sans-serif;"><br /></span>
<li><span style="font-family: "verdana" , sans-serif;">Stop using Internet Explorer or Edge to surf the Internet unless the website specifically requires one of these browsers. Why? because there are no script blockers available for IE and Edge as of yet. Drive by ransomware uses javascript to auto execute the ransomware script using the browser as the execution device. Using a script blocker will avoid these types of infections. </span></li>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<li><span style="font-family: "verdana" , sans-serif;">Use Chrome or FirsFox with a script block extension(s) such as uBlock Origin, Script Block or No Script to name a few.</span></li>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<li><span style="font-family: "verdana" , sans-serif;">Use Ad block extentions to block ads, ransomware loves ads, they will pay real money to get their infection ads on a legitimate ad website </span></li>
</ol>
<h4 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Email RansomWare avoidance:</span></h4>
<span style="font-family: "verdana" , sans-serif;">This is how most people contract ransomware infections. An email comes in with an attachment or URL and the person opens the attachment or weblink and BAM! infected. But there is hope. Email attachments or the URL that will take a user to a website that then has the user download a file and open the file. The vulnerability here is the auto execution of file types that just are NOT needed by the average user or most users. These file types are heavily used to infect computers because Microsoft and their ultimate wisdom allows odd file types to be executed if a user opens them and ransomeware is capitalizing on this vulnerability. You can however tell Windows using Group Policy or setting locally to change the default behavior for any file type like the ones used by ransomware:</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">.js</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.jse</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.vbe</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.vbs</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.wsh</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.wsf</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.scr</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.pif</span></li>
<li><span style="font-family: "verdana" , sans-serif;">.hta</span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;">To change the file extension default program in Windows 7 thru 10 open:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Control Panel - Default Programs - Associate a file type or protocol with a specific program</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJTPUxC6f7Ek4hlJEsJnwLMJ4mjQ5DEyTKZeBVcqxBn2ec1JqiEs2EQak-9HXuI8lhJ1EdYi0s2PFer-eFYwIn-u6P65OVSANM3uw_18rK4C7oBgo6P48b0U3nTPiN7puY5EHNjzKpj3g/s1600/File+Association+default.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJTPUxC6f7Ek4hlJEsJnwLMJ4mjQ5DEyTKZeBVcqxBn2ec1JqiEs2EQak-9HXuI8lhJ1EdYi0s2PFer-eFYwIn-u6P65OVSANM3uw_18rK4C7oBgo6P48b0U3nTPiN7puY5EHNjzKpj3g/s640/File+Association+default.PNG" width="640" /></span></a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<span style="font-family: "verdana" , sans-serif;">Find these extensions and change them all to open <b><i>Notepad</i></b>. In fact, any file type that opens a script program should be changed. Anyone actually using these file types will know how to open the file in the correct program they need. Your average user will never need these auto execution settings. Change anything with "<b><i>Microsoft Windows based script host</i></b>" to <b><i>Notepad</i></b> and now the scripts will not execute when a person opens them, they will just see the contents in Notepad.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXmkuArtnF_JLAnMm-Bz9IaKBxseX99HEDpE3bzaeiVAEpXw8p6MJlc1NGPrko7a6xBYDLdebtpiYftC6t-9rSccExfGmaZnGxckScgepWE5p3qlvaecsgi5hrDl5e6wegWSgehymousk/s1600/File+Association+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXmkuArtnF_JLAnMm-Bz9IaKBxseX99HEDpE3bzaeiVAEpXw8p6MJlc1NGPrko7a6xBYDLdebtpiYftC6t-9rSccExfGmaZnGxckScgepWE5p3qlvaecsgi5hrDl5e6wegWSgehymousk/s640/File+Association+1.PNG" width="640" /></span></a><br />
<br />
<h4 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Block Email attachments that are scripts or executables:</span></h4>
<span style="font-family: "verdana" , sans-serif;">Many Email gateways and mail servers have the ability to block certain file types from being delivered to the end user. Most will have executables blocked like attachments containing ".EXE", but most will not have the scripts mentioned above blocked. Add these file types to be blocked upon receipt and now users will never even see the bad emails with ransomware. If you do need these file types for developers, then educate the users to encrypt the files in an archive format like .Zip or .7z and password protect them.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">We have already seen ransomeware being emailed within zip files, but without passwords or with the password included in the email asking the recipient to open the archive. At least you now only have one thing to educate your users to watch out for and <b><i>never</i></b> open an archive where the password is included in the same email.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Of course there is always whitelisting using Applocker and/or Software Restriction Policies or other application whitelisting solution to block executable types and scripts that are not specifically approved. This takes more work and effort by IT and is the most intrusive to users since you will block the execution of anything that drops onto a system, but will definitely block ransomware and other malware.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">These simple improvements will reduce the ransomware risk your organization significantly.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Happy Hunting</span></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-17988480746642429422016-08-01T13:44:00.006-05:002016-08-01T13:55:00.201-05:00LOG-MD Selected For Blackhat Arsenal Based On The 'Windows Logging Cheat Sheet'<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<img alt="https://www.blackhat.com/us-16/arsenal.html#log-md" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_2uzURRZa6RdgQmMMfP7R_efkM7QDAPK0FW0Hp-EMojSCsp-T81suGc7z_Dzhjp7P2hnGyigyKT4iko7F_eBSyNhZZY9sQs3ES2qc7iUUXVtw1pegcEUmRJXDE4awxI5RxSfKBpSpC8c/s1600/Arsenal+Page.JPG" title="" width="400" /></div>
<div id="yui_3_17_2_1_1470075671482_20208" style="background-color: white; margin-bottom: 22px; word-wrap: break-word;">
<span style="color: #3e3e3e; font-family: "gotham ssm a" , "gotham ssm b" , "gotham ssm" , "proxima nova" , "open sans" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 12px; line-height: 22px;">Come on by Blackhat Arsenal Thursday and check out LOG-MD in action with the latest version on how to check, set, and harvest malwarious activity on Windows systems.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.log-md.com/" target="_blank"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir58plQuLkTYG881ZIBVUKD4XjQE1UYajFO1HUTwCHzSoViMgUuL4EBKnArKXHphFXzbj_N-SeDlDffoacBPg46cCDAM4H95jgjVSvdZ9DCSWlGRUCeDn9JkgUZZ5R6aAhQFdwN1dcLus/s320/Log-MD+Discover+It.gif" width="320" /></a></div>
<div id="yui_3_17_2_1_1470075671482_20208" style="background-color: white; margin-bottom: 22px; text-align: center; word-wrap: break-word;">
<span style="color: #3e3e3e; font-family: "gotham ssm a" , "gotham ssm b" , "gotham ssm" , "proxima nova" , "open sans" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="line-height: 22px;"><b><br /></b></span></span>
<br />
<div style="text-align: center;">
<b style="color: #3e3e3e; font-family: "gotham ssm a", "gotham ssm b", "gotham ssm", "proxima nova", "open sans", "helvetica neue", helvetica, arial, sans-serif; line-height: 22px;">Michael Gough & Brian Boettcher</b></div>
<div style="text-align: center;">
<span style="color: #3e3e3e; font-family: "gotham ssm a" , "gotham ssm b" , "gotham ssm" , "proxima nova" , "open sans" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="line-height: 22px;"><b>Palm Foyer, Level 3, Station 8</b></span></span></div>
<div style="text-align: center;">
<span style="color: #3e3e3e; font-family: "gotham ssm a" , "gotham ssm b" , "gotham ssm" , "proxima nova" , "open sans" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="line-height: 22px;"><b>Thursday Aug 4th - 16:00 - 17:50</b></span></span></div>
</div>
<div id="yui_3_17_2_1_1470075671482_20208" style="background-color: white; color: #3e3e3e; font-family: "Gotham SSm A", "Gotham SSm B", "Gotham SSm", "Proxima Nova", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; line-height: 22px; margin-bottom: 22px; word-wrap: break-word;">
Based on the '<em>Windows Logging Cheat Sheet</em>' LOG-MD audits a Windows system for compliance to the 'Windows Logging Cheat Sheet', CIS, US-GCB and AU-ACSC standards, and if it fails creates a nice report to help you know what to set and then guides you where to set the items needed to pass the audit check. Once properly configured, LOG-MD then harvests security related log data to help you investigate a suspect system.</div>
<div id="yui_3_17_2_1_1470075671482_29837" style="background-color: white; color: #3e3e3e; font-family: "Gotham SSm A", "Gotham SSm B", "Gotham SSm", "Proxima Nova", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; line-height: 22px; margin-bottom: 22px; margin-top: 22px; word-wrap: break-word;">
In addition LOG-MD can perform full file system hashing to create a baseline that can be used to compare against a suspect system. LOG-MD can also baseline the registry and compare a suspect system registry to a known good baseline to find altered settings and even look for LARGE Reg keys where malware is hiding payloads.</div>
<div id="yui_3_17_2_1_1470075671482_23834" style="background-color: white; color: #3e3e3e; font-family: "Gotham SSm A", "Gotham SSm B", "Gotham SSm", "Proxima Nova", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; line-height: 22px; margin-top: 22px; text-align: center; word-wrap: break-word;">
Come by Blackhat Arsenal and check us out and maybe get a goody too ;-)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blackhat.com/us-16/arsenal.html#log-md" target="_blank"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkZQWe05uz1sR0cGF-FjFONn2zavx3DHyeCu9v8TQn3_OERvutq7mvhbJYR7-sMFSSQN8rKLO53n0_9wK8-e7P_2MKKT6CDmRIZ-OIDoxMXaZRKMZReywETq4ChTZXTvohZWrgRZbUVcY/s1600/Arsenal+Badge.JPG" /></a></div>
<div id="yui_3_17_2_1_1470075671482_23834" style="background-color: white; color: #3e3e3e; font-family: "Gotham SSm A", "Gotham SSm B", "Gotham SSm", "Proxima Nova", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; line-height: 22px; margin-top: 22px; text-align: center; word-wrap: break-word;">
<br /></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-6959856503265968722016-06-16T09:34:00.005-05:002016-06-16T09:34:46.105-05:00The Windows PowerShell Cheat Sheet is now available!<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwXBT1FZwJwp-gNK0ZO8_EEUu6EklmYAUndVvmpty9XBV_Ojfyigs-HhSuQJRFYM35IJ9GBf6aSIhaQSvxwFOYmIb7cJPLW18E_IBi8dl8Hzg8hCBPE1pgftpF5leDRZJ1apVAgZ1vABw/s1600/PS_Ch_Sh.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwXBT1FZwJwp-gNK0ZO8_EEUu6EklmYAUndVvmpty9XBV_Ojfyigs-HhSuQJRFYM35IJ9GBf6aSIhaQSvxwFOYmIb7cJPLW18E_IBi8dl8Hzg8hCBPE1pgftpF5leDRZJ1apVAgZ1vABw/s640/PS_Ch_Sh.JPG" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;">We are proud to announce the release of the "<b><i>Windows PowerShell Logging Cheat Sheet</i></b>". This latest cheat sheet is focused at what options to set, where to set them and what to monitor to detect PowerShell activity and more so, malicious PowerShell activity.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This cheat sheet covers PowerShell versions 2 through 4 and the new PowerShell version 5, or Windows Management Framework as it is now called. There are links to other great PowerShell resources, settings to configure, either through Group Policy or manually in the registry. </span><span style="font-family: Verdana, sans-serif;">What to gather and harvest as far as Event ID's and what to look for as far as malicious activity.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The first goal of yours, of course after downloading the cheat sheet will be to get some test systems configured and validate everything is collecting as you expect. Then push out the settings to all your target systems you want to monitor, which should be all of them.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Also included is the use of Sysmon to catch PowerShell being called by another binary other than powershell.exe or powershell_ise.exe to catch misuse of the PowerShell Dll's.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Take a read, do some testing and of course, send us your thoughts.</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank">"Windows PowerShell Logging Cheat Sheet"</a></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">#HappyHunting</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br /></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-41840971957248740642016-05-07T22:04:00.003-05:002016-05-07T22:04:35.358-05:00Windows Top 10 Events to monitor from My Dell Enterprise Security Summit Talk<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-vZ9MB6AR87_9zRlfrMYUYeNLQjHqYroPmC2BxOh5x1-y3GdnNNmrGCysMTyrHsmwr6Qp00jqu606a5gIzq9VoVA9y4ImKq-rebvh_j0-DmVS-Kl2kKtfHDmtaT8Ofac6hjo-JeIVKY/s1600/Dell+ESS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-vZ9MB6AR87_9zRlfrMYUYeNLQjHqYroPmC2BxOh5x1-y3GdnNNmrGCysMTyrHsmwr6Qp00jqu606a5gIzq9VoVA9y4ImKq-rebvh_j0-DmVS-Kl2kKtfHDmtaT8Ofac6hjo-JeIVKY/s320/Dell+ESS.JPG" width="320" /></a></div>
<div id="yui_3_17_2_9_1462674069165_4100" style="background-color: #f0f4f4; color: #263333; font-size: 16px; line-height: 25.6px; margin-bottom: 1.6em; word-wrap: break-word;">
<span style="font-family: Verdana, sans-serif;">Here is my presentation from the talk I gave at the Dell Enterprise Security Summit in Atlanta April 21, 2016.</span></div>
<div id="yui_3_17_2_9_1462674069165_4103" style="background-color: #f0f4f4; color: #263333; font-size: 16px; line-height: 25.6px; word-wrap: break-word;">
<a data-cke-saved-href="http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10?qid=e0003812-fbf1-4733-a5c7-379b39b4deba&v=&b=&from_search=7" href="http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10?qid=e0003812-fbf1-4733-a5c7-379b39b4deba&v=&b=&from_search=7" id="yui_3_17_2_9_1462674069165_4105" style="color: #245959; text-decoration: none;" target="_blank"><span style="font-family: Verdana, sans-serif;">SlideShare Presentation - WIndows Top 10 Events to monitor</span></a></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-76758109398114240872016-03-29T14:00:00.004-05:002016-03-29T14:00:42.685-05:00PowerShell RansomeWare via Word Docs starting to rear its ugly head - completely detecable<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPR7xc-_T48glKjE0Gmfu8SPjAlI42Sa_h0601cPjeb1KdP01lTzY3uo17s-_4wagG0N2sp83FisU7hiyVu6LW-1pkuBPEaZo5l846a-j9sDXZJF_7pDW9Q_HnpsBgzO0pEK2mLHJmQcU/s1600/pw1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPR7xc-_T48glKjE0Gmfu8SPjAlI42Sa_h0601cPjeb1KdP01lTzY3uo17s-_4wagG0N2sp83FisU7hiyVu6LW-1pkuBPEaZo5l846a-j9sDXZJF_7pDW9Q_HnpsBgzO0pEK2mLHJmQcU/s320/pw1.png" width="320" /></a></div>
<br />
<br />
<span style="font-family: "verdana" , sans-serif;">Carbon Black last week released a report that PowerShell is being used in RansomWare attacks. Why is this important? By using PowerShell the RansomWare can be 100% diskless, meaning no malware binary needs to be dropped onto the system and stored on disk. It can, but does not have to<span style="font-family: "verdana" , sans-serif;">, </span>it just uses PowerShell commands to encrypt your data!</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">So how do you detect this condition<span style="font-family: "verdana" , sans-serif;"> or attack?</span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">First, <span style="font-family: "verdana" , sans-serif;">the malware is delivered in Malicious Word documents, so your email gateway might be able to scan and execute these<span style="font-family: "verdana" , sans-serif;"> type of documents. Most Email gateways do not <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">detonate</span> attachments without a usually expensive add-on</span></span></span> feature, but of course, more $$$.</span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">You can enable logging per the "<i><b>Windows Logging Cheat Sheet</b></i>" found here:</span></span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://www.malwarearchaeology.com/cheat-sheets/" target="_blank">MalwareArchaeology.com - Cheat Sheets</a> </span></span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"> And once <span style="font-family: "verdana" , sans-serif;">your logs and auditing <span style="font-family: "verdana" , sans-serif;">is configured, alert on the following with your Log Management solution;</span></span></span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">1. Execution of VSSAdmin.exe</span></span></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">2. Execution <span style="font-family: "verdana" , sans-serif;">of a PowerShell bypass</span></span></span></span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">VSSAdmin is used to delete the volume shadow copies from your system by t<span style="font-family: "verdana" , sans-serif;">he RansomWare to make re<span style="font-family: "verdana" , sans-serif;">covery without backups impossible. The PowerShell bypas<span style="font-family: "verdana" , sans-serif;">s is used to bypass any restrictions you might have to keep PowerShell scripts from running. Yes, Microsoft incldued a backdoor to execute PowerShell commands... YAY #FAIL</span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">You <span style="font-family: "verdana" , sans-serif;">would</span> look for the foll<span style="font-family: "verdana" , sans-serif;">owing in the 'Process Command Line' being executed;</span></span></span></span></span></span></span></span></span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Execution<span style="font-family: "verdana" , sans-serif;">Policy bypass -<span style="font-family: "verdana" , sans-serif;">noprofile</span></span></span></span></span></span></span></span></span></span></span></li>
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">and possibl<span style="font-family: "verdana" , sans-serif;">y </span>-<span style="font-family: "verdana" , sans-serif;">w</span>indow<span style="font-family: "verdana" , sans-serif;">s</span>tyle hidden </span></span></span></span></span></span></span></span></span></span></span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">The first bullet will definitely alert you to <span style="font-family: "verdana" , sans-serif;">PowerShell nefarious behavior, the hidden w<span style="font-family: "verdana" , sans-serif;">indow may be used by admins to do maintenance items, so secondary on the alert<span style="font-family: "verdana" , sans-serif;">.</span></span></span></span></span></span></span></span></span></span></span><br />
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Prevention - Whitelisting: </span></span></span> </span></span></span></span></span></span></span></span></h3>
<span style="font-family: "verdana" , sans-serif;">Whitelisting is about the only protection you have from RansomWare other than GREAT backups!!!</span><br />
<span style="font-family: "verdana" , sans-serif;"> </span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">You can setup <i><b>Software Restriction Policies</b></i> found on all versions of Windows exce<span style="font-family: "verdana" , sans-serif;">pt Windows Home versions for FREE! Just deny<span style="font-family: "verdana" , sans-serif;"> execution of:</span></span></span></span></span></span></span></span></span></span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">C:\Users\*</span></span> </span></span></span></span></span></span></span></span></li>
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">You can do this for other directories too and make exceptions for what you want to execute</span></span></span></span></span></span></span></span> </span></li>
</ul>
</div>
<span style="font-family: "verdana" , sans-serif;">You can also use AppLocker<span style="font-family: "verdana" , sans-serif;"> to block <span style="font-family: "verdana" , sans-serif;">an unknown <span style="font-family: "verdana" , sans-serif;">executable or script</span></span></span>. AppLocker requires Windows Ultimate o<span style="font-family: "verdana" , sans-serif;">r Windows Enterprise. </span>The<span style="font-family: "verdana" , sans-serif;">re is an audit mode for AppLocker so you can test and allow what normally runs before enforcing the policy to block.</span></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Both Software Restriction Policies and AppLocker write blocks or potenti<span style="font-family: "verdana" , sans-serif;">al blocks to th<span style="font-family: "verdana" , sans-serif;">ei<span style="font-family: "verdana" , sans-serif;">r respective logs</span></span>. The Application Log for Software Restriction Policy violations and the AppLocke<span style="font-family: "verdana" , sans-serif;">r 'EXE and D<span style="font-family: "verdana" , sans-serif;">LL'</span></span></span></span> Log under Applications and Services - <span style="font-family: "verdana" , sans-serif;">Microsoft</span> Windows log.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">There you go, you better start logging PowerShell if you are going to keep up with the malwarians and this Crypto RansomWare!</span><br />
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
<br />
<span style="font-family: "verdana" , sans-serif;"><a href="https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/" target="_blank">Carbon Black article on PowerWare</a> </span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Happy Hunting</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">#InfoSec #IncidentResponse #RansomWare</span><br />
</div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-75773907631595862492016-02-17T22:50:00.001-06:002016-02-18T06:48:06.856-06:00Detecting port scans between hosts on the same segment, could you detect this? Windows could help<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<center>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA1Y92VE2uRPgUxlnt0AvzabdIPX6MKnWkxO5V2V2eArqaNmgepKE2VgCJt11vVxv0gDRbzhdv3JAcwDSV31v5WVaT2Z3hV_7s4x29ZVtPO6A2KGrYadGSurVT5DRwhk4vynIGUXFWvqY/s288/iphone_photo.jpg"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA1Y92VE2uRPgUxlnt0AvzabdIPX6MKnWkxO5V2V2eArqaNmgepKE2VgCJt11vVxv0gDRbzhdv3JAcwDSV31v5WVaT2Z3hV_7s4x29ZVtPO6A2KGrYadGSurVT5DRwhk4vynIGUXFWvqY/s400/iphone_photo.jpg" style="margin: 5px;" width="400" /></span></a></center>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Thanks to one of my fellow InfoSec brethren and fellow security product developer, he got me thinking as to how to detect a situation he presented me, and well, I finally had an engram kick-in and off I went to see how I would I detect this condition.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">We are all too familiar with port scans against our firewalls from a myriad of ne'er-do-wellers and how a firewall or other specialty network device detects and blocks reconnaissance behavior. Simply stated, one IP hitting multiple ports, OK, a lot of ports in a fairly short period of time, is the main indicator.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">But what about inside your network, not just Internet facing systems, how would you detect a port scan occurring? Say, recon by a malwarian already inside a compromised box, a misguided employee, rogue admin, Pen Test consultant, etc. As long as there is a firewall or network device between the source (bad guy) and target that is being logged you could detect a port scan. Or if you have an IDS/IPS inline between the two hosts involved, you could detect the port scan IF you have logs being monitored and alerting on this kind of behavior. If you have a managed service IDS/IPS provider then they should be calling you, or at a minimum alerting you to an internal port scan, so this is a way to see if they are doing what you pay them for, or you have short comings in malicious network detection capabilities. I will also assume that switches are not being logged as this produces more noise versus value in most cases.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja-8wqVYb-Sh8sU5JguydLhK9qcW1whB8yj98VAJV0SQ1OF6D6FXvdGz6wcSklbCl7NQSmXBseXFQ_pYviMl3fLrzgGa1ZCugB_uc8ZLqLjZSPzZw1HNvowZZdaP5vWWlTyPUBUFl_tiE/s1600/segment.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja-8wqVYb-Sh8sU5JguydLhK9qcW1whB8yj98VAJV0SQ1OF6D6FXvdGz6wcSklbCl7NQSmXBseXFQ_pYviMl3fLrzgGa1ZCugB_uc8ZLqLjZSPzZw1HNvowZZdaP5vWWlTyPUBUFl_tiE/s200/segment.JPG" width="187" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">But what about same segment port scanning? What if a malwarian is on one host and scans ONLY that subnet and surrounding IP's, could you detect a port scan? Is your IDS/IPS connected to a span port that can see ALL traffic going between systems within a switch or network segment? If not, what else could you do? Would you believe Windows Logs to the rescue if the target is Windows? You could do the same with IPTables on NIX systems by the way.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The Windows Firewall Logs can detect this behavior, but not a setting I normally recommend because of the noise it normally generates that is not of much value. And thus why this blog post. So if you test your port scan detection capabilities, and I suggest you do, this is where my InfoSec Musketeer comes into play. Thanks Marcus for planting the seed and "Hey.. where is my avatar on the main page???". <b><i>VThreat</i></b> is an all browser based solution that enables you to test your ability to detect various nefarious activities and your ability to detect them, one of which is a port scan. Many of you might be wondering right about now, does my IDS/IPS cover this condition? Could you detect a port scan between two hosts, workstations or servers or the same segment, an IP or two apart? Check out <b><i>VThreat</i></b> if you want to test for it! Or play with what I list below, at a minimum if you can detect a local segment port scan successfully. You should be able to detect most of them with well tuned tools that <b><i>VThreat</i></b> can help you test.</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><b><a href="http://vthreat.com/" target="_blank">https://www.VThreat.com/</a></b></span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;">For Windows systems and Group Policy, if you enable "<b><i>Filtering Platform Connection</i></b>" under <b><i>Object Access</i></b> found in <b><i>Advanced Audit Policy</i></b> and you enable "<b><i>Failure</i></b>", where normally I recommend only "<b><i>success"</i></b>, you can detect a local port scan where your network devices may fail you. The logs will provide you with EventCode 5156 "failed" attempts to create a connection to the Windows host, and in quantities that are never normal. An example where I generally recommend not to enable this option, but an example of why you might want to. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Remember, you do not have to send this data to Splunk or other log management solution. You can collect it locally and craft some script to query for this data as you see fit. Of course <b><i>LOG-MD</i></b> will collect this information if enabled for a tactical solution, IR work or you want to test if your network devices and logging are up to snuff.</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><b><a href="http://log-md.com/" target="_blank">LOG-MD website</a></b></span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;">Here is a sample Splunk query for you to ponder and expand upon. Just adjust the ports you want to cover (<20000) and the quantity over time (>10) and then search over the past hour and do some testing.<br /><br /><span style="background-color: #f3f3f3;">index=win_logs LogName=Security EventCode=5156 | table host Source_Address, Source_Port, Destination_Address, Destination_Port, Protocol, Keywords | search Source_Port < 20000 | stats count dc(Source_Port) AS Port_Count values(Source_Port) AS Port values(Keywords) by Destination_Address | where Port_Count > 10</span><br /> <br />Happy Hunting!<br /><br />#InfoSec #MalwareArchaeology</span><br />
<!--20000--></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-12015626117502425052016-02-03T22:31:00.001-06:002016-02-04T09:19:52.148-06:00Japanese National Cert Blog on Windows commands abused by attackers<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<center>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMIawIL_R5xaXjPM3suQPHmBevpmX4jnUTmCdTnVvFJn2_yUSuzXsS0Vj7O2nwQO8Wn77xJc-zlykwTx_jnSJAPQK3QinGqF4XaeF2xW16aqpV4JYiubm9Awa9ZdGHUlGgHhP_aKe3hVg/s288/iphone_photo.jpg"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMIawIL_R5xaXjPM3suQPHmBevpmX4jnUTmCdTnVvFJn2_yUSuzXsS0Vj7O2nwQO8Wn77xJc-zlykwTx_jnSJAPQK3QinGqF4XaeF2xW16aqpV4JYiubm9Awa9ZdGHUlGgHhP_aKe3hVg/s400/iphone_photo.jpg" style="margin: 5px;" width="400" /></a></center>
<br />
<span style="font-family: "verdana" , sans-serif;">Japan's National CERT released a blog on the breakdown of Windows commands abused by attackers. This is GREAT WORK and one of the best articles to reinforce what I have been saying in my presentations, Windows Logging training and of course the '<b><i>Windows Logging Cheat Sheet</i></b>'. Logging command line execution is critical for a mature Detection and Response program.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">JP-CERT broke down the commands into 3 categories:</span><br />
<ol style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;">Initial investigation: Collect information of the infected machine</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Reconnaissance: Look for information saved in the machine and remote machines within the network</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Spread of infection: Infect the machine with other malware or try to access other machines</span></li>
</ol>
<br />
<span style="font-family: "verdana" , sans-serif;">This is the first time someone has tried to break up the commands into categories to better understand what the hackers are doing and at what stage. I have a slightly different opinion on this, but I do not have the luxury of compiling data like they do to create this kind of breakdown.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Most of the p0wnage I have been involved with is pure 'spread the infection' with some recon or investigation occurring during the spread. Much of what they do is scripted, so identical behavior, other attacks had indications that there was more than one malwarian involved by the mistakes made (the Newb) and the way the other hacker worked and the commands used. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I have never really thought of breaking these commands into these three categories or more, but it might lead to so ideas to craft some logging alerts or tool tweaks From the behavior based solutions and our own work.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I promote The concept of '<b><i>Malware Management</i></b>', the review of malware reports and analysis to gain artifacts used by the malwarians. These artifacts are used to help tune, tweak and improve your SecOps, Active Defense and Blue Team capabilities. I also promote the 'Windows Logging Cheat Sheet' to encourage enabling Command Line Logging to catch malicious behavior. You can get the Cheat Sheets here:</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><a href="http://www.malwarearchaeology.com/cheat-sheets/" target="_blank">Windows Logging Cheat Sheet</a></span></li>
<li><span style="font-family: "verdana" , sans-serif;"><a href="http://malwaremanagementframework.org/" target="_blank">Malware Management Framework</a></span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;">I have been involved in some hairy advanced attacks by a very persistent hacker group and the commands the malwarians executed can be a fantastic way to separate normal admin or developer behavior from malwarian behavior. I recently saw a Tweet and disagreed on the point that 'a good hacker in indistinguishable from a developer'. I just don't agree and the commands attackers execute as the data from JP-CERT show is something that can be distinguished from normal behavior and the quanties of execution is key as the data shows.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">While doing malware analysis in my lab I also get to see what commodity malware of all types do from crapware to RansomeWare to the Dridex Trojan. What commands are built into the delivery, execution and call back and the follow on commands executed are also telling and help to improve Detection and Response, if we listen.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">If you look up some of my presentations On SlideShare (MalwareArchaeology) you will see what commands were executed, malware payloads used, and built-in Windows commands abused by the malwarians.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I further the need to log command line execution and the importance by providing a sample query I created in Splunk for my 2015 Splunk .Conf presentation which can be found in the '<b><i>Windows Splunk Logging Cheat Sheet</i></b>' also found on my website at the link above.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Now my list of commands to watch out for is more extensive than the ones in the JP-CERT blog for what I recommend people monitoring for. But all the commands I monitor for have been added in part to practicing Malware Management, analyzing malware to see what commands were executed, actual infected and compromised systems and all the reports folks and companies like us put out. Once you see and experience an actual advanced attack and are able to capture and see the malwarians behavior first hand, a light will go off and you will be able to tweak and adjust your tools to improve your Detection and Response capabilities.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Keep in mind that combining the Windows commands with other process executions, minus your normal program executions will allow you to separate the developers and admins from your adversaries. Consider looking at where the commands are executed, such as user space \AppData\ versus All Users \ProgramData to the program and Windows core directories. The data will begin to speak to you, of course ONLY if you have adequately configured logging like the Cheat Sheets recommend.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Happy Hunting!</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<a href="http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html" target="_blank"><span style="font-family: "verdana" , sans-serif;">JPCERT blog on Windows commands used by hackers</span></a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">#InfoSec #MalwareArchaeology</span></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-41315161364241132642016-01-21T18:59:00.001-06:002016-01-22T06:39:45.986-06:00Malware Management is even spelled out in ISO 27002<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<center>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipazTuLcSJqKJfzVur7X-sG3QPTgEDa0_MOL7A5vxHbv8Cv5-SytovIDh3h7qYZ6zyv2Y-yNiPhNU-4-5E3X9ePBHH2FiGVcpro_mkEz7JZZjuN_s4Tk2ZJilNayzExyhHA0wy-9tUIjY/s288/iphone_photo.jpg"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipazTuLcSJqKJfzVur7X-sG3QPTgEDa0_MOL7A5vxHbv8Cv5-SytovIDh3h7qYZ6zyv2Y-yNiPhNU-4-5E3X9ePBHH2FiGVcpro_mkEz7JZZjuN_s4Tk2ZJilNayzExyhHA0wy-9tUIjY/s400/iphone_photo.jpg" style="margin: 5px;" width="400" /></a></center>
<br />
<span style="font-family: "verdana" , sans-serif;">I have mentioned many times how <b><i>Malware Management</i></b> is a much needed practice for improving an Information Security program and your Security Operations team. If you want to begin hunting and find malware in your environment, you must first learn what and where to look as far as artifacts and IOC's.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">It is not just me suggesting you do this, it can also be found in the industry's leading information security framework standard ISO 27002. Below is an excerpt of the standard discussing the need for Malware Management.</span><br />
<blockquote>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">A.12.2.1 Controls against malware</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">j) implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.</span></blockquote>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In my Malware Discovery training I teach people to go out and read virus/malware write ups, malware analysts reports and IR firms reports to collect the artifacts and IOC's that you can then populate into your security solutions, scripts or detection and response and incident response practices.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">So you should consider adding this to your 2016 list of security goals and objectives to spend the one hour a week to research and read the materials available to start a practice of Malware Management.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">You can find a list of Malware Reports from some of the more recognized malware campaigns on our websites:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<a href="http://www.malwarearchaeology.com/analysis" target="_blank"><span style="font-family: "verdana" , sans-serif;">www.MalwareArchaeology.com/analysis</span></a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">or</span><br />
<a href="http://www.imfsecurity.com/reports" target="_blank"><span style="font-family: "verdana" , sans-serif;">www.IMFSecurity.com/malware-reports</span></a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">And read what and how to do Malware Management here:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<a href="http://malwarearchaeology.com/mmf/" target="_blank"><span style="font-family: "verdana" , sans-serif;">The Malware Management Framework</span></a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">By all means, send us links to other good reports so we can share. Generally You can find these reports discussed or released in Articles from RSS Feeds from many of the vendors who work in the IR space, InfoSec Blogs and many podcasts like "<a href="http://www.brakeingsecurity.com/" target="_blank"><b><i>Brakeing Down Security</i></b></a>" where I have been a guest discussing the subject.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">So don't take our word for it, take the advice straight from ISO 27002 and use this to help justify starting a <b><i>Malware Management</i></b> program in your organization.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Happy Hunting</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">#InfoSec #MalwareArchaeology #MalwareManagement</span><br />
<br /></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-71434466900758550192016-01-06T22:01:00.000-06:002016-01-07T08:49:23.546-06:00For the love of humanity retailers, read the PoS malware reports and stop the BREACHES! Malware Management can save you, seriously!<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3mJPT1ZNM3qe1M9418_pen4b44mVXKb5S_Cn1lhSxxyIIPs19DiZOfNd3_1EZQIQq2vpuO4egrorpIrMpKEhRbSlFGC2w1bsNjPYPTN8HF7PxreAUnAlpfxk7ekqa14cpenwhpGBDAM/s1600/point-of-sale-system.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3mJPT1ZNM3qe1M9418_pen4b44mVXKb5S_Cn1lhSxxyIIPs19DiZOfNd3_1EZQIQq2vpuO4egrorpIrMpKEhRbSlFGC2w1bsNjPYPTN8HF7PxreAUnAlpfxk7ekqa14cpenwhpGBDAM/s320/point-of-sale-system.jpg" width="320" /></a></div>
<span style="font-family: Verdana, sans-serif;">I have blogged many times before about how <b><i>Malware Management</i></b> helps information security professionals and organizations improve their detection, Active Defense and Incident Response capabilities. The Hyatt breach and MODPoS proves yet again <b><i>Malware Management</i></b> would have saved Hyatt and many other retailers after Jan 2014. Retailers must evolve or continue to be compromised. For that matter, all of us must evolve our detection capabilities or suffer a breach at some point. The ultimate goal of security operations is to detect an intrusion BEFORE the mass loss of data resulting in a breach and your firms name in the news and possibly new employment opportunities for you.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In October 2015 iSight Partners released another good analysis report on the MODPoS malware. Much like their first report from Jan 2014 on BlackPoS, one of the main conclusions is the same, <b><i>the malware installed a new service!</i></b> </span><br />
<span style="font-family: Verdana, sans-serif;"><br />For the love humanity information security professionals, monitor your systems for the creation of new services! This is Malicious Detection 101 people. The one item that by default is enabled and available on Windows systems are the events for services starting, stopping, changing and installing. Yes, there were many more artifacts in these two malware reports, but one thing is common in both and many other malware reports, a new service was installed and is the core persistence mechanism used in retail Point of Sale (PoS) infections. Many advanced malware attacks also use a new or existing service to maintain persistence, it's very common technique.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Detect <b><i>Event ID 7045</i></b> or a change of a service state <b><i>Event ID 7040</i></b> and you can detect and stop PoS malware and many other advanced malware dead in their mag stripes.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<h2 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;">Malware Management to the rescue!</span></h2>
<span style="font-family: Verdana, sans-serif;">
<br />Take it from someone who has lived there, too many times and caught the malwarians within an hour or so of the initial compromise. You CAN detect most advanced attacks and many commodity malware infections, but you must practice <b><i>Malware Management. </i></b>Read the malware analyst reports these experienced and seasoned professionals create, for the very reason of educating all of us to improve from real world events and experiences.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Read more on Malware Management here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><b><a href="http://www.malwaremanagementframework.com/" target="_blank">www.MalwareManagementFramework.com</a></b></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Read more on Windows Logging and use several cheat sheets we created to help you begin and refine your Windows logging ability available here:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><b><a href="http://www.malwarearchaeology.com/cheat-sheets" target="_blank">www.MalwareArchaeology.com/cheat-sheets</a></b></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">And of course, use <b><i>LOG-MD</i></b> to audit your system, help setup proper logging to gather the needed log data. Even if you have a Log Management solution, use <b><i>LOG-MD</i></b> to refine your logging improving what you collect and help you reduce the noise, the quantity of events and help you reduce your license and storage requirements. You can get <b><i>LOG-MD</i></b> here:<br />
</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><b><a href="http://www.log-md.com/" target="_blank">www.Log-MD.com</a></b></span></li>
</ul>
<br />
<div>
<span style="font-family: Verdana, sans-serif;">So come on retailers, it is time to get with the times and read the malware reports on your own breaches to learn and improve and better defend yourselves. Everyone else too.</span></div>
<div>
<br /></div>
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><a href="http://cdn2.hubspot.net/hubfs/266554/Docs/iSIGHTPartners_ModPOS-Malware-Threat-Intelligent-Report.pdf?utm_campaign=DISCLOSURE+-+ModPOS&utm_medium=email&_hsenc=p2ANqtz-9xvPWvnNZzzP0yUzTGkk0vgnljLHxwesi-uYYxlMCfq_cwU7EsfZKyRCZUVC6cZd8GM1ACQE9UxGMG34Yc24MWuPSwCQ&_hsmi=23944966&utm_content=23944966&utm_source=hs_automation&hsCtaTracking=6c01b3fa-3048-4a13-ae51-70d76b60a64c|332a7e54-d180-4bab-b024-24b1ef096037" target="_blank">iSight Partners report on ModPoS</a> - Oct 2015</span></li>
<li><span style="font-family: Verdana, sans-serif;"><a href="http://www.securitycurrent.com/resources/files/KAPTOXA-Point-of-Sale-Compromise.pdf" target="_blank">iSight Partners report on BlackPos</a> - Jan 2014</span></li>
</ul>
<div>
<span style="font-family: Verdana, sans-serif;">More Malware Analyst reports are available on our website:</span></div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;"><b><a href="http://www.malwarearchaeology.com/analysis" target="_blank">www.malwarearchaeology.com/analysis</a></b></span></li>
</ul>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Happy Hunting!</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-29666247286002201772015-12-24T11:31:00.001-06:002015-12-30T19:22:18.172-06:00December Dridex variant and the best way to clean it without using Safe Mode and detect it using file and registry auditing<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<center>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_55Iy_O7t5Ojhculufd9ZxLgZi2PcyPUWx8AjzjQ1em-5GaxbpG0D-4JZDl7wHDiQHKyOCcx_4yihdSg_jfJpDRKN4bF8PCzNMcGskHd4gSV-0QivmxJsUGvfmNqrk3DuL9H8zQESy_0/s288/iphone_photo.jpg"><img border="0" height="411" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_55Iy_O7t5Ojhculufd9ZxLgZi2PcyPUWx8AjzjQ1em-5GaxbpG0D-4JZDl7wHDiQHKyOCcx_4yihdSg_jfJpDRKN4bF8PCzNMcGskHd4gSV-0QivmxJsUGvfmNqrk3DuL9H8zQESy_0/s640/iphone_photo.jpg" style="margin: 5px;" width="640" /></a></center>
<br />
<span style="font-family: Verdana, sans-serif;">If you ever wondered if file and registry auditing has value and worth doing, look no further than the latest Dridex malware variants as a perfect example of why you should start doing it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The latest variants of Dridex are delivered using specialty crafted Word or Excel documents. The malicious documents contained macros and VB Scripts that when opened and content enabled, or un-patched 0-Day (MS15-070), drops and executes the Dridex malware.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">There have been many variants of this malware largely delivered with malicious Microsoft Office docs. The malwarians use an interesting approach in that they drop VB Script in a <random>.vbs file that is assembled with variables from a batch file (<random>.CMD) that then calls an executable (<random>.EXE) and sometimes using a PowerShell script backdoor (.PS1<random .ps1="">). Note that the recent variants changed from using powershell, but all variants seem to share the .CMD, .VBS and .EXE files to launch the initial malware infection.<br /><br />In one of the latest variants of Dridex, the malwarians have utilized some morphing and anti-virus avoidance by generating a new file name with a different hash and varying file sizes each time the system reboots! More importantly the malware on system startup deletes the only payload file which is a DLL that is obfuscated with possibly version 4 of the Armadillo packer and uses the .TMP file extension. To avoid detection, Dridex malware launches on system startup, injects its malicious code into Explorer.exe, deletes itself from disk and deletes the Run key entry it used to launch itself all before the user logs in! On shutdown Dridex writes itself back to disk, albeit with a differnet name and hash, and updates the Run key to allow restart on the launch of Explorer at the next boot.<br /><br />When the system is up and running and a user logged on, there are no files on disk or no autorun values in registry to detect the Dridex malware. The only Key or keys that exist are a subkey in HKCU Explorer\CLSID that stores what looks to be configuration data written just before the Run Key is deleted on startup. <br /><br />So how does someone detect malware of this type? Well your properly configured logs of course! If you follow the 'Windows Logging Cheat Sheet' you would catch the malware launching with several 4688 'New Process Created' events. But how do you detect a condition where malware deletes itself on startup and writes back to disk on shutdown and more importantly how do you clean or remediate it? Furthermore how do you remediate it at scale, say over 100 systems?<br /><br />Your best friend will be file and registry auditing to catch 4663 'File' and 4657 'Registry' events. Where and What locations do you need to audit? For files, the users AppData directories and for the registry the autorun locations. This way when new file(s) drop or get deleted, file auditing will catch this behavior and allow you to match the process execution 4688 events with the file auditing 4663 event along with any autorun registry changes with 4657 events. If you enable Windows Firewall logging (Packet Filtering) you will get the 5156 events listing the process and IP's that match the 4688 events as Dridex communicates with the Command and Control servers.<br /><br />Applying file auditing on the \Users\<username>AppData directories will catch the Dridex file activity. In the latest variant, or the variants we analyzed, Dridex uses the AppData\Roaming (%AppData%) directory for the .TMP file that is loaded on startup. The dropper/infector that comes out of the malicious Word or Excel document Dridex uses the AppData\Local\Temp (%temp%) directory where the scripts (.cmd, .vbs and .ps1) and initial infector executable are dropped and deleted upon the initial infection.<br /><br />This particular variant uses a random 4 letter file name with the .tmp as the extension; but is actually a DLL that also includes padding that changes the file size and hash and a packer (possibly Armadillo v4) to obfuscate the malware from detection by anti-virus and avoid obvious string discovery during analysis.<br /><br />File and registry auditing detects the new file being created and the HKCU Run key being updated on shutdown and deleted on startup. New process execution on startup will catch RunDll32 calling the random named (e.g. A32B.tmp) .TMP file found in the %AppData% Roaming root directory, which normally never contains executable files, or .tmp files for that matter; a key indicator of nefarious activity.</username></random></random></random></random></span><br />
<center>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJR71un9a7YKQ27whcbzN0BeyrMVAZpv6hHzun3scEWf6-SKb9tn643uYpFSC_-7IGIEjbdKkT7v-H5_elaM3nsnwA-4MoUuhO3gJaznVXWs5aDBpE-6k56iNwMQ8Xi-HGA-_xhiGW6So/s288/iphone_photo.jpg"><span style="font-family: Verdana, sans-serif;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJR71un9a7YKQ27whcbzN0BeyrMVAZpv6hHzun3scEWf6-SKb9tn643uYpFSC_-7IGIEjbdKkT7v-H5_elaM3nsnwA-4MoUuhO3gJaznVXWs5aDBpE-6k56iNwMQ8Xi-HGA-_xhiGW6So/s288/iphone_photo.jpg" style="margin: 5px;" width="200" /></span></a></center>
<blockquote>
<h3 style="text-align: left;">
<b><span style="font-family: Verdana, sans-serif;">ARTIFACTS/IOC's:</span></b></h3>
</blockquote>
<b><u><span style="font-family: Verdana, sans-serif;">Directories used:</span></u></b><br />
<blockquote>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">%temp% - used for initial dropped scripts and infector malware</span></li>
<li><span style="font-family: Verdana, sans-serif;">%LocalAppData% - Used by previous versions of Dridex for dropped files</span></li>
<li><span style="font-family: Verdana, sans-serif;">%AppData% - Where the main payload <4 char random>.TMP file is written on shutdown</span></li>
</ul>
</blockquote>
<span style="font-family: Verdana, sans-serif;"> <b><u>Registry Keys used:</u></b></span><br />
<blockquote>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">HKCU\Software\Microsoft\Windows\CurrentVersion\Run</span></li>
<li><span style="font-family: Verdana, sans-serif;">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\<GUID><random guid="">\ShellFolder <random 16="" char="" value=""> Type of REG_BINARY Data (varying length HEX data)</random></random></span></li>
</ul>
</blockquote>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The ShellFolder key is the only artifact that can be discovered while the system is running. Look for a key named "<b><i>ShellFolder</i></b>" that is of Type <b><i>REG_BINARY</i></b> and has one or more 16 character random Value names and data fields of approximately 80-120 byte length. A new value is created each time the system reboots which can tell you when the system was first infected.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<b><span style="font-family: Verdana, sans-serif;">CLEANUP/REMEDIATION</span></b><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Below are two articles that discuss how to clean Dridex off a system. Those methods discussed would work fine if you are doing one system at a time, but those do not scale for tens or hundreds of systems in multiple office locations. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2LWQgWiHCS1Ik_x3P-S-xYXho7KdpHIb_0FKeF4bQurIpshL2GIWcEfgwrmdaoDkj66K5z2sviB9pNsbu6wnXpZDvzKWF1PSf0cYtPIXc_Fbq_Q_VRTyZFxyPrwr1UPEoDrbTO5SUJR0/s288/iphone_photo.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img align="right" border="0" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2LWQgWiHCS1Ik_x3P-S-xYXho7KdpHIb_0FKeF4bQurIpshL2GIWcEfgwrmdaoDkj66K5z2sviB9pNsbu6wnXpZDvzKWF1PSf0cYtPIXc_Fbq_Q_VRTyZFxyPrwr1UPEoDrbTO5SUJR0/s200/iphone_photo.jpg" style="margin: 5px;" width="200" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCVHvCzrlIXXWwGtJjZE1WEaNzOtsY9JEZq20WwEhZM6MfCdUKy9LtX-ZsylJAV1debJemKc2jUf_0ojS-Ou-Z-YrY5qH0blP2JqUhVZ8ZLjFpPAt2y0Kf5QrzLhHjYKetRCRmr1Q8rgo/s288/iphone_photo.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img align="left" border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCVHvCzrlIXXWwGtJjZE1WEaNzOtsY9JEZq20WwEhZM6MfCdUKy9LtX-ZsylJAV1debJemKc2jUf_0ojS-Ou-Z-YrY5qH0blP2JqUhVZ8ZLjFpPAt2y0Kf5QrzLhHjYKetRCRmr1Q8rgo/s288/iphone_photo.jpg" style="margin: 5px;" width="100" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ0bjjc3tuj7_eFNBq4qsCIHqSvyqpNywAAGKittU_jneLEv0AUgOOFaecrdWAS7M-ggmpXG7pSnC5kf0UyBQ9LU3KYMNA_kwbt4G96RCPbplmtsOh306FXkkVRAG-Hlg4AN6Y4TWpQsM/s288/iphone_photo.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ0bjjc3tuj7_eFNBq4qsCIHqSvyqpNywAAGKittU_jneLEv0AUgOOFaecrdWAS7M-ggmpXG7pSnC5kf0UyBQ9LU3KYMNA_kwbt4G96RCPbplmtsOh306FXkkVRAG-Hlg4AN6Y4TWpQsM/s200/iphone_photo.jpg" style="margin: 5px;" width="200" /></span></a></div>
<span style="font-family: Verdana, sans-serif;">When malware researchers do analysis, they must take into account that a large outbreak, like we saw with Conficker in 2008 or a typical advanced APT attack could occur where it is typical for tens, hundreds or worse yet, thousands of systems to clean. Safe Boot is unfortunately a manual way to clean a system that requires touching the keyboard. Malware researchers and analysts must also recommend ways, methods or tools that can be completed over the wire or remote. It should be a goal of every malware researcher and analyst to provide an enterprise method of recovery along with our research/analysis. So here is such an approach for Dridex; but knock yourself out if you choose this method for a small amount of systems.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi3nLFpRTaTyC67sbiVvPRVGv0dIgzekOxS5PEpNiN7zkdYC00fLNLA3qOQfGTR9OUjQYZ-j27E_7zD6ffrjOcwpZmQjAHflmm6SQOW1MjC56mhlzQOz6LScXPyNol2EO7I-0R5CB70J4/s288/iphone_photo.jpg"><span style="font-family: Verdana, sans-serif;"><img align="right" border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi3nLFpRTaTyC67sbiVvPRVGv0dIgzekOxS5PEpNiN7zkdYC00fLNLA3qOQfGTR9OUjQYZ-j27E_7zD6ffrjOcwpZmQjAHflmm6SQOW1MjC56mhlzQOz6LScXPyNol2EO7I-0R5CB70J4/s288/iphone_photo.jpg" style="margin: 5px;" width="200" /></span></a><br />
<span style="font-family: Verdana, sans-serif;"><b>Workstations versus servers:</b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Servers often have a way to kill the power of the system by using a management interface from the chassis or virtual management console. This can come in handy for the types of infections that live only in memory with no way to restart until the system shuts down and writes the launch sequence to disk. This method provides servers an option not readily available to workstations. Pulling the power on a server will interrupt the hook of the malware and kill its ability to write to disk since the system does not perform a proper shutdown, rather the power is just cut off. Of course you should shutdown databases and applications before using this method to avoid data corruption. For workstations you can just pull the plug and Dridex is gone, but this is not the best approach for scale if there is another way, and with Dridex and many other malware, there is.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Dridex hooks Explorer.exe which loads itself with the following Run key entry:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG86MsNv5RBpiu-9SEum646xpg5nrvfaRhRQxSYcnyU0a6FsixldxPCdOP8m_0iIfW5bPXDRDRhMNQg8gm9K2ghdL7wn8TrZKIJTU7IauWWX9SV_ZVP9k91NbRrx3cxDEFEGi0VvOe8LU/s288/iphone_photo.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><br /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG86MsNv5RBpiu-9SEum646xpg5nrvfaRhRQxSYcnyU0a6FsixldxPCdOP8m_0iIfW5bPXDRDRhMNQg8gm9K2ghdL7wn8TrZKIJTU7IauWWX9SV_ZVP9k91NbRrx3cxDEFEGi0VvOe8LU/s288/iphone_photo.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-family: Verdana, sans-serif;"></span></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG86MsNv5RBpiu-9SEum646xpg5nrvfaRhRQxSYcnyU0a6FsixldxPCdOP8m_0iIfW5bPXDRDRhMNQg8gm9K2ghdL7wn8TrZKIJTU7IauWWX9SV_ZVP9k91NbRrx3cxDEFEGi0VvOe8LU/s1600/iphone_photo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img align="right" border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG86MsNv5RBpiu-9SEum646xpg5nrvfaRhRQxSYcnyU0a6FsixldxPCdOP8m_0iIfW5bPXDRDRhMNQg8gm9K2ghdL7wn8TrZKIJTU7IauWWX9SV_ZVP9k91NbRrx3cxDEFEGi0VvOe8LU/s288/iphone_photo.jpg" style="margin-top: 5px;" width="209" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBF0Z1-LYzht7xROxqEGm1-fovdhqqrdLDY8G_1dgPN5UvMz1yUiXhNf8g2TV01zSrcGduNdFWRC4HJ3j6Sklbucm51LJyFM9IuMwBT58T0Q23LBt6ZTX_PQl7Wn6vyWko-Swut2_-5cY/s288/iphone_photo.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><br /></span></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBF0Z1-LYzht7xROxqEGm1-fovdhqqrdLDY8G_1dgPN5UvMz1yUiXhNf8g2TV01zSrcGduNdFWRC4HJ3j6Sklbucm51LJyFM9IuMwBT58T0Q23LBt6ZTX_PQl7Wn6vyWko-Swut2_-5cY/s288/iphone_photo.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><br /></span></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBF0Z1-LYzht7xROxqEGm1-fovdhqqrdLDY8G_1dgPN5UvMz1yUiXhNf8g2TV01zSrcGduNdFWRC4HJ3j6Sklbucm51LJyFM9IuMwBT58T0Q23LBt6ZTX_PQl7Wn6vyWko-Swut2_-5cY/s288/iphone_photo.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><br /></span></a><span style="font-family: Verdana, sans-serif;"></span><br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">Rundll32.exe C:\Users\<username>\AppData\Roaming\3309.tmp asd34dfghjklzx</username></span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><username><br />The random length code or key following the .tmp file is required for the malware to persist, most likely the key to unlock the obfuscated packed code.<br /><br />Once Explorer.exe calls RunDll32.exe and loads the </username><username><random>.tmp file which then calls Taskhost.exe that manages DLLs loaded by a service for example, Explorer.exe is then hooked with Dridex. Rundll32.exe and then Taskhost.exe terminate as the Dridex load completes.<br /><br />Knowing Explorer.exe is hooked, which can be verified by doing a memory dump and analyzing the strings, Dridex can be unhooked.<br /><br />All that is needed is to terminate the Explorer process which is what users see as their desktop environment. Once Explorer is terminated Dridex is killed and the desktop is no longer useable. No fear, all that is needed is the three finger salute... CTRL-ALT-DELETE and logoff or reboot the system. The three-finger-salute also requires a person physically touch the keyboard, but easier than booting into Safe Mode.<br /><br />For true scalability and remote management and no keyboard required on the target, terminating Explorer.exe can be scripted or remotely executed using the /S option of the following built-in utilities to specify a remote system with proper admin credentials. Use Tasklist.exe to identify the PID Explorer is running on or just use Taskkill.exe /IM Explorer.exe to terminate Explorer and then execute the Shutdown.exe command to reboot the system. Many remote management solutions have a reboot the system option, so all that is needed is to execute the proper Taskkill command line and then reboot. You can also script the deletion of the config settings found in the ShellFolder key listed above, but the key is benign once Dridex is terminated.</random></username></span><br />
<username><random><span style="font-family: Verdana, sans-serif;"><br /></span></random></username>
<username><random><span style="font-family: Verdana, sans-serif;"><img align="right" border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBF0Z1-LYzht7xROxqEGm1-fovdhqqrdLDY8G_1dgPN5UvMz1yUiXhNf8g2TV01zSrcGduNdFWRC4HJ3j6Sklbucm51LJyFM9IuMwBT58T0Q23LBt6ZTX_PQl7Wn6vyWko-Swut2_-5cY/s288/iphone_photo.jpg" style="color: #0000ee; margin: 5px;" width="100" />There you go, all you need to know on the current stealthy variant of Dridex. Now go do some malware infections and play... In an isolated lab of course.<br />Happy Hunting!<br /><br /><b>RESOURCES</b><br /><br /><b><a href="http://www.virusresearch.org/how-to-remove-dridex-trojan-horse/" target="_blank">Virus Research article on Dridex removal using Safe Mode</a></b><br /><br /><b><a href="https://www.lexsi.com/securityhub/dridex-campaign-detecting-and-cleaning-tools-by-lexsi/?lang=en" target="_blank">Lexsi Security article on cleaning Dridex in Safe Mode and an incomplete tool</a></b><br /><br /><b><a href="http://malwarebattle.blogspot.com/2014/12/dridex-malware-christmas-offers.html" target="_blank">MalwareBattle article on Christmas Dridex</a></b><br /><br /><b><a href="https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" target="_blank">Blue live article on Dyre and Dridex malware</a></b><br /><br /><b><a href="http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html" target="_blank">Stop Malvertising article on Dridex / Cridex / Feodo / Bugat</a></b><br /><br />#InfoSec #MalwareArchaeology #LOG-MD, #Dridex</span></random></username><br />
<div>
<span style="color: #0000ee;"><br /></span></div>
</div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-67645724321187756702015-10-31T00:36:00.002-05:002015-10-31T00:43:45.755-05:00A Simple built-in FREE way to block malware and odd programs from infecting your Windows system - Software Restriction Policies<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKCZVK0lWC6FEglytTC5cLlp54BLnlTAYLwcoKEt4MfaIGB95jG687JYsq-cNHETGHZUMw_mfiXgT4jAPq7kl2wboGIZ8GkoJxjaZsUYqoY8UNutkjRcvNAbdh_cDc-TIRcfIcap35Apk/s1600/No-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKCZVK0lWC6FEglytTC5cLlp54BLnlTAYLwcoKEt4MfaIGB95jG687JYsq-cNHETGHZUMw_mfiXgT4jAPq7kl2wboGIZ8GkoJxjaZsUYqoY8UNutkjRcvNAbdh_cDc-TIRcfIcap35Apk/s1600/No-malware.png" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">When I put on Malware Discovery and Basic Malware Analysis training I am always asked "Isn't there a simple way to stop things like Crypto Ransomeware that keeps infecting my users, friends, family, kids and wife"?</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Actually there is and it is FREE with Windows! Thank you Microsoft for not including this feature with ALL versions of Windows. ;-(</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It is available only if you have Windows Professional, Ultimate, Enterprise or MSDN versions, sorry, Windows Home and Starter versions do not have the Local Security Policies console needed to configure it. But this IS a reason to upgrade your computers to Pro or Ultimate for sure.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So how do you use it to block malicious software like Crypto Ransomeware?</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">First things first. You need to understand this is a manual configuration on each computer, you can automate it using Group Policy for domain attached systems. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Second, you need to understand that this method will block everything from running in the Users directory space and that you must poke holes to allow what is needed and what you want to run. But there is an easy way to gather this information once a block occurs.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So what is it? "<b><i>Software Restriction Policies</i></b>" (SWRP) is found in the Local Security Policy Console which is found under:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">Control Panel - Administrative</span><span style="font-family: Verdana, sans-serif;"> Tools - Local Security Policies</span></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyFriVQYLRyWF7nt9kVNtxC5Z0Cwx_CNjZtdk46bZ1Hc01jUoZHbjLm2rp5tXiWEIVAZ0OO3DwYrlqCb8hBl2mxaD6nW_Bt3sng76IgjZ1jwf5zNtDqIJ-KJKDKmoXflY78dKzxENEqr4/s1600/SW+Restriction+Policies.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyFriVQYLRyWF7nt9kVNtxC5Z0Cwx_CNjZtdk46bZ1Hc01jUoZHbjLm2rp5tXiWEIVAZ0OO3DwYrlqCb8hBl2mxaD6nW_Bt3sng76IgjZ1jwf5zNtDqIJ-KJKDKmoXflY78dKzxENEqr4/s400/SW+Restriction+Policies.JPG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Enforcement:</span></h3>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">This is where the roles of the users are defined that you will grant access. These are not adjustable, just select the one you want when you create a rule.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfmMipsVbv3Tki0PlA4_0bg5omOVYZJiqkLDwZagHlBfP7j3Q9sxr-hYPvOwsxvctkFawRrokKjraG0W6I7y4E_eSN0M149M1hSWhp-7Ja8yF8_1qthZv913U8XmcsviTWTzyICG6DUHA/s1600/Roles.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfmMipsVbv3Tki0PlA4_0bg5omOVYZJiqkLDwZagHlBfP7j3Q9sxr-hYPvOwsxvctkFawRrokKjraG0W6I7y4E_eSN0M149M1hSWhp-7Ja8yF8_1qthZv913U8XmcsviTWTzyICG6DUHA/s640/Roles.JPG" width="640" /></a></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Designated File Types:</span></h3>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">This is where you can add or delete file types, but some file types are not supported like driver .SYS files.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwhyXvw834duHp6oCyEUStM03kCVoz3msAoAH-HekdU-b4H0RC_cQaFC7uoIjxMzUwUF9tOv4UW-chdB7vB8OlwixmI76xfT1a8Go8SkSWTjj62N9HbaYxgZasUwgSmOA6FNCjZaBnK4M/s1600/File+Types.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwhyXvw834duHp6oCyEUStM03kCVoz3msAoAH-HekdU-b4H0RC_cQaFC7uoIjxMzUwUF9tOv4UW-chdB7vB8OlwixmI76xfT1a8Go8SkSWTjj62N9HbaYxgZasUwgSmOA6FNCjZaBnK4M/s640/File+Types.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Trusted Publishers:</span></h3>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">This is where you can trust certain publishers like Microsoft, Google and other companies who sign their software with a certificate. You must manually go find the file you want to trust and select the part(s) or levels of the publisher info you want to trust. This is manual and not very friendly as the same company can/will sign their software many different ways.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOTi1HxG8hIqlgrK55gt2qGYY3pv4l0-BnZ1yX58u7-41R3QOyrfexy5SkSeKeiq2DagA-7svZ8DcGwDpyBXpwSgBi71B4XqdZlhWP74o-mcGWL45XzucNgTYZaGfil7me1cLXJgqerUM/s1600/Publishers.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOTi1HxG8hIqlgrK55gt2qGYY3pv4l0-BnZ1yX58u7-41R3QOyrfexy5SkSeKeiq2DagA-7svZ8DcGwDpyBXpwSgBi71B4XqdZlhWP74o-mcGWL45XzucNgTYZaGfil7me1cLXJgqerUM/s640/Publishers.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;">Additional Rules:</span></h3>
<span style="font-family: Verdana, sans-serif;">This is where you should spend most of your time, especially if you want SWRP to be easy and fast.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiOrq09a-jqa5DLN5gz2gqvKwTn0u28aBQ7heYxrCrGUImK4eGtrX-JiMThbR_CQRn4jaSu5N2cK62VbvrtRbOMBi41E6JqlswUq9k6LkFqHH40G-RNcAgY7cPY7egNIfQiJXxnnu3Kzo/s1600/Additional+Rules.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiOrq09a-jqa5DLN5gz2gqvKwTn0u28aBQ7heYxrCrGUImK4eGtrX-JiMThbR_CQRn4jaSu5N2cK62VbvrtRbOMBi41E6JqlswUq9k6LkFqHH40G-RNcAgY7cPY7egNIfQiJXxnnu3Kzo/s1600/Additional+Rules.jpg" /></a></div>
<h3 style="text-align: left;">
<span style="font-family: Verdana, sans-serif;">There are four rules:</span></h3>
<br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">New Certificate Rule</span></li>
<li><span style="font-family: Verdana, sans-serif;">New Hash Rule</span></li>
<li><span style="font-family: Verdana, sans-serif;">New Network Zone Rule</span></li>
<li><span style="font-family: Verdana, sans-serif;">New Path Rule</span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">Spend most of your time with the "<b><i>New Path Rule</i></b>". This is where you will create a BLOCK ALL rule and then poke holes to allow ONLY what you want to allow to execute.</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0-VHPPzAQ4HKFlw54zaZKGZoKlLqym3MFFFMQ1QZkG6hm1bAXDOVcr9rf-S8_8x8icSRgXKf2evN1w3X34k7cs-y1QU4efuOG_Jg2vb5gi4runcsDbf73cP8BqSBlPqPmr6qzpB4lMUA/s1600/SW+Restriction+Policy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0-VHPPzAQ4HKFlw54zaZKGZoKlLqym3MFFFMQ1QZkG6hm1bAXDOVcr9rf-S8_8x8icSRgXKf2evN1w3X34k7cs-y1QU4efuOG_Jg2vb5gi4runcsDbf73cP8BqSBlPqPmr6qzpB4lMUA/s640/SW+Restriction+Policy.JPG" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The first rule you want to make is to BLOCK ALL for the path:</span><br />
<ul style="text-align: left;">
<li><span style="font-family: Verdana, sans-serif;">C:\Users\*</span></li>
</ul>
<div>
<span style="font-family: Verdana, sans-serif;">This will block execution of any executable in the C:\Users directory structure. Once an existing program tries to update itself, like Google Chrome, you will get an error on the screen if it is a GUI based install or update. If it is a background process then you won't see anything.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">But wait, there is a Log entry registered each time a failure occurs and this makes it easy to populate your New Path Rules!</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Open up Event Viewer and the "<b><i>Application</i></b>" Log and filter the log for Event ID <b><i>866.</i></b></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><b><i><br /></i></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhaGKp9dU-kQI1G06d9q76XpiA0l0xVBp7BQWkG3GeLz_mrvXk0LS8GMwRnAYZXSPXbz9RQOqcNPSJFPhVe0bdusW8aKV5_Pltnqx9WgGmYGVLMmQVpYV1OlW2pesSccV8tcZoJw0kCag/s1600/866+Event.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhaGKp9dU-kQI1G06d9q76XpiA0l0xVBp7BQWkG3GeLz_mrvXk0LS8GMwRnAYZXSPXbz9RQOqcNPSJFPhVe0bdusW8aKV5_Pltnqx9WgGmYGVLMmQVpYV1OlW2pesSccV8tcZoJw0kCag/s640/866+Event.JPG" width="640" /></a></div>
<div>
<span style="font-family: Verdana, sans-serif;"><b><i><br /></i></b></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">These log entries will give you what you need to create a "<b><i>New Path Rule</i></b>", all you do is copy the path of the failure.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgp7aR6QHiRCZRbGFCZbbY6kYHb4Q6YTL2NRGb2ZxXYHYqmdV1bzC9q5oyy3i0EIaM-0MgC6vBzZp8z5Xc2EeWVqeuKE2HSmM2CTitFEW9KUhUsckLR7gR4ZaoHGXiZfDoLUqcm0zTMDI/s1600/866+Event+copy+path.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgp7aR6QHiRCZRbGFCZbbY6kYHb4Q6YTL2NRGb2ZxXYHYqmdV1bzC9q5oyy3i0EIaM-0MgC6vBzZp8z5Xc2EeWVqeuKE2HSmM2CTitFEW9KUhUsckLR7gR4ZaoHGXiZfDoLUqcm0zTMDI/s640/866+Event+copy+path.JPG" width="640" /></a></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Then you will create a "<b><i>New Path Rule</i></b>" by right clicking on the "<b><i>Additional Rules</i></b>" item or in the window and select "<b><i>New Path Rule</i></b>" and paste the copied path from Event ID 866 and that is it. Of course select "<b><i>Unrestricted</i></b>" so the program can run and save the entry. Repeat this for each program you want to allow to run.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Take a minute and look at the path and make it generic to users (C:\Users\*\AppData\Local\Adobe) and versions of the software. Some software uses a directory name that matches the version (GTM\1251\update\install.exe) so as it updates the one level of the directory (1251) will change with each new version. You don't want to keep adding similar rules, just use a wildcard "<b>*</b>" in place of any username or version </span><span style="font-family: Verdana, sans-serif;">(GTM\*\update\install.exe) to make it work for everyone and every version</span><span style="font-family: Verdana, sans-serif;">. </span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Of course you can use the wildcard to further refine the rule to your liking. But be careful! You don't want to make a wildcard entry that will allow bad software to run due to an odd .tmp file path name that opens up the whole directory to allow any file to execute. Some installers use random named files with a .tmp extension that you will have to craft a rule for. Make the rule as specific as needed to protect odd things from being able to run in that location. Here is an example of several "<b><i>New Path Rules</i></b>".</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY0VP7TIVRE7pkkIEA_0cVBMu4gmEum7Od9DzjHK0FBQSuUinxb90octx-7bmFZpKbNqsX5RqbmcruDf3rkyihu51Ub84y8VumqGlzacu-Djr9VePrZGn0OkpkvbUaUukmTPsbBmRq5Rg/s1600/SW+Restriction+Policy+Added.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY0VP7TIVRE7pkkIEA_0cVBMu4gmEum7Od9DzjHK0FBQSuUinxb90octx-7bmFZpKbNqsX5RqbmcruDf3rkyihu51Ub84y8VumqGlzacu-Djr9VePrZGn0OkpkvbUaUukmTPsbBmRq5Rg/s640/SW+Restriction+Policy+Added.JPG" width="640" /></a></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">If you play with this on your system, you will find this will work fairly well in blocking odd programs from infecting your system. Of course TEST your rules by dropping a known .EXE, maybe renamed to "<b><i>malware_test.exe</i></b>" for effect into a directory under C:\Users and try to execute it. You should see a message like the following letting you know the rules are working.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><b><i><br /></i></b></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXnVPVvNplfTN4uNXKeUwJrRHmJ3Ldc4FRuCdbctGmr8zkohLroZB9-3YAGWFj20bmJdGAVlmmiHoc1iwZoBDJMjefOmxObUn5p_bT6HNHacrJ-Zx8Q8UCSAcHNBzFRSVRMRys5rI-XgU/s1600/Blocked.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXnVPVvNplfTN4uNXKeUwJrRHmJ3Ldc4FRuCdbctGmr8zkohLroZB9-3YAGWFj20bmJdGAVlmmiHoc1iwZoBDJMjefOmxObUn5p_bT6HNHacrJ-Zx8Q8UCSAcHNBzFRSVRMRys5rI-XgU/s640/Blocked.JPG" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Check your </span><span style="font-family: Verdana, sans-serif;">Application Log for Event ID 866 to see the blocked file.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigY7L4CAs7dSV8fWqgLQ-K47yU25yFCDSB7ojGUIGnahWZJxaZrHo7qt_tTNBQfhLJLX_7QLdd05xz83TkIcH2_Ma9m8YDTuXt9auz788PR75c6BLIiOCLEgKPp8AEVsTwvGXE5xpidAI/s1600/Blocked+Log.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigY7L4CAs7dSV8fWqgLQ-K47yU25yFCDSB7ojGUIGnahWZJxaZrHo7qt_tTNBQfhLJLX_7QLdd05xz83TkIcH2_Ma9m8YDTuXt9auz788PR75c6BLIiOCLEgKPp8AEVsTwvGXE5xpidAI/s640/Blocked+Log.JPG" width="640" /></a></div>
<br />
<br />
<span style="font-family: Verdana, sans-serif;">Now you have a way to block some typical commodity malware for your users, family, friends, children and anyone else that asks you for help. Below are some more articles to help give you ideas.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Happy Hunting.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><a href="https://technet.microsoft.com/en-us/library/cc507878.aspx" target="_blank">TechNet article on using Software Restriction Policies</a></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><a href="https://technet.microsoft.com/en-us/library/cc782454(v=ws.10).aspx" target="_blank">TechNet article on Software Restriction Policies</a></span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><a href="https://technet.microsoft.com/en-us/library/bb457006.aspx" target="_blank">TechNet article on using Software Restriction Policies</a></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><a href="http://www.mechbgon.com/srp/" target="_blank">Another article on Software Restriction Policies</a></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">#InfoSec #MalwareSucks</span></div>
Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-80541457219129317392015-09-25T08:26:00.001-05:002015-09-25T08:26:03.397-05:00ANNOUNCING Log-MD, the latest tool to help you fight infection, malware infection<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_UKzK523Ak5QPnJ33ucNtFrTQ1rcHj8I7L5DO5wvby3bsafXtYs7vldT4P6zjAYwo0Iqi6DIilKpGJ9ox6CCsYlzzI3dmvE-U6b7OPU48vhUYuAtPDhNJb4YL7ow_vo-ne4AsYJARjuI/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_UKzK523Ak5QPnJ33ucNtFrTQ1rcHj8I7L5DO5wvby3bsafXtYs7vldT4P6zjAYwo0Iqi6DIilKpGJ9ox6CCsYlzzI3dmvE-U6b7OPU48vhUYuAtPDhNJb4YL7ow_vo-ne4AsYJARjuI/s288/iphone_photo.jpg' border='0' width='280' height='54' style='margin:5px'></a></center><br />@HackerHurricane and @Boettcherpwned are releasing the Log Malicious Detection tool "Log-MD" for Windows based systems at DerbyCon 2015!<br /><br />This FREE tool will assist you in Enabling and Configuring your Windows logs based on the recommendations of the "<a target="_blank" href="https://malwarearchaeology.squarespace.com/cheat-sheets/">Windows Logging Cheat Sheet</a>" (WLCS).<br /><br />When first run, Log-MD will fail until, or unless all the needed auditing items are enabled and configured. You can either pipe out the console or read the "Audit Settings Report" giving you a measure of how your system compares to the Center for Internet Security (CIS) Benchmarks, or the recommended configuration of the "Windows Logging Cheat Sheet". This is a great report to add to your security assessments!<br /><br />Once the system is properly configured, either through Group Policy or the Local Security Policy and some other system tweaks, Log-MD will produce Report.csv collecting all the security goodness we Active Defenders, Malware Hunters and InfoSec people want and need! The report is a simple to consume and parse CSV format for additional scripting or filtering using Microsoft Excel.<br /><br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxb27QWJ_vlof6FKzM7v6Uwx7ugsbWK_EIXptuk_yXBMQxM1R5Bc5sGZGJWcjz6FHjFLeUphyphenhyphenff0iGnOC_nzaTAbtq1XnarpwKTXdIKpD0ONoDsKIyC2lGvsGGKDeiEnf6L-WmIX3gUhI/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxb27QWJ_vlof6FKzM7v6Uwx7ugsbWK_EIXptuk_yXBMQxM1R5Bc5sGZGJWcjz6FHjFLeUphyphenhyphenff0iGnOC_nzaTAbtq1XnarpwKTXdIKpD0ONoDsKIyC2lGvsGGKDeiEnf6L-WmIX3gUhI/s288/iphone_photo.jpg' border='0' width='200' height='150' style='margin:5px'></a></center><br />It does not stop there! There are three white lists that allow you to filter out the good, to help you find the bad and the ugly! So as you find obviously good conditions, you can use the white lists to filter out the items the next time Log-MD is run. The three white lists are:<br /><br />1. By Process Command Line and/or Process Name<br />2. By Source IP and/or Destination IP and/or Destination Port, yup, no source port.<br />3. File Auditing (4663) and Registry Auditing (4657) locations<br /><br />There are multiple use cases for Log-MD, whether or not you have a Log Management solution, aka SIEM, this tool can help you refine what to collect and improve your policies.<br /><br />1. Audit your system against best practices - Compliance Auditors, IT professionals, consultants, InfoSec and Incident Responders can all use this tool to know how their environment stacks up log and audit wise against the CIS Benchmarks or WLCS recommendations.<br /><br />2. Use the output to set and refine your File and a Registry Auditing to start monitoring key directories (e.g. \appdata) and auto run locations in the registry (e.g. Run and RunOnce keys). Start using auditing and have a way to refine your settings!<br /><br />3. Malware Labs - Use Log-MD in your malware labs to find the key artifacts or IOC's needed to find other infected systems and the cleanup details to remediate. Speeds up basic malware analysis significantly!<br /><br />4. Investigate a suspect system - Do you want to know if a system is clean or infected? Log-MD can help you analyze the data after boot up to see if anything odd has launched or communicated on the system.<br /><br />5. Incidence Response - We don't always have fancy Log Management solutions or Endpoint solutions, so Log-MD can be run on systems to help get them configured to collect the needed data and then provide Incident Responders much needed information to focus their attention. Great for companies that are budget limited and lack some of Enterprise Security tools IR firms use.<br /><br />A major goal of Log-MD is to help move organizations forward and enable and configure much needed logging details, even if it is only collected locally with or without a Log Management solution. Or to use this technique when doing malware analysis and while investigating a suspect system.<br /><br />Take a look and download the tool and try it out! Send us your comments and suggestions. For security, we have posted the file hash on HackerHurricane to validate the download ;-).<br /><br />You can get Log-MD at:<br /><br /><a target="_blank" href="http://www.log-md.com">www.Log-MD.com</a><br /><br />Happy Hunting!!!<br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-63131265865644160162015-09-24T10:08:00.001-05:002015-09-24T10:08:34.296-05:00Finding and Alerting on crypto events with your Cloud storage logs<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijWLg4u4bGt6fZGW8IGeX4RhJlttIb2BRkRxWA6Eq9NO0NEp-kWWfqbbpQ_l1r7jXs0OTsoh0vt7oanimoe7oa9e7QhaYNGiDs0FDG2UBCMt6r-pfZyu38w04TPYJL-6u6IixPYjkRbH8/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijWLg4u4bGt6fZGW8IGeX4RhJlttIb2BRkRxWA6Eq9NO0NEp-kWWfqbbpQ_l1r7jXs0OTsoh0vt7oanimoe7oa9e7QhaYNGiDs0FDG2UBCMt6r-pfZyu38w04TPYJL-6u6IixPYjkRbH8/s288/iphone_photo.jpg' border='0' width='200' height='150' style='margin:5px'></a></center><br />This may be an actual compelling reason to use a business class Cloud Storage solution like those from DropBox, Box and others.<br /><br />Normally to detect crypto events you have to enable the File Auditing policy in GPO or Local Security Policy and on set File Auditing for the Server Shares you want to monitor so the data is captured in your Security Event Log (Event ID 4663). This is an effective way to detect a Crypto event in process and also know what directories will need to be restored once the user is contained or disconnected.<br /><br />Recently a user was hit with one of the many Crypto ransomware variants and needed to be cleaned up. Since a business class Cloud Storage was being used, the question was raised; can they roll back to last known good files since this occurred 2 weeks earlier? That got me thinking...<br /><br />If you are one of the companies using Cloud Storage as an alternative to local file server storage, ease of sharing between partners, or using it for the encrypted storage, you may be in luck if you have a log management solution. You may be able to use their web portal to search for this condition, let me know I have not tried it.<br /><br />If you upload or sync the cloud storage logs to your log management solution, say Splunk, Loggly or one of the many others, you could have what you need to answer the following questions:<br /><br />1. When did the event happen<br />2. Who was the user(s) involved<br />3. What directories were involved (probably all)<br /><br />The logs will have all this data and if you write a query to search for "HELP_DECRYPT" and say "stats count by username", you will have what you need to alert on a crypto event using your cloud storage logs!<br /><br />Since users should not have any "HELP_DECRYPT" files, usually 2 per directory, the HTML file and Image file, monitoring for these is a great artifact to look for.<br /><br />Just look for these files and say "where count > 5" as a trigger and send an email to the appropriate people.<br /><br />Just another artifact that we can use to detect malwarious activities.<br /><br />Also check out my new "<a target="_blank" href="https://malwarearchaeology.squarespace.com/s/Windows-Splunk-Logging-Cheat-Sheet-v10.pdf">Windows Splunk Logging Cheat Sheet</a>" for some Windows Splunk logging goodness.<br /><br />Happy Hunting!<br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-17533842053755795772015-09-20T16:55:00.001-05:002015-09-20T16:55:32.050-05:00POS Malware variant MWZLesson substantiates Malware Management should be practiced by retailers<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiv3n1tHl1k2OcaG5O9ph2BBeySVadOSGRjLCEBADZbt7oKNfCcz_C8DJ4XbOi_mdmcYNkN_1ucIdkTtvxjIbtxTwq1NnI59m2Vw7L-biNXcNyF4FvyPElzll36svR6RBHdJMLGVtfb6I/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiv3n1tHl1k2OcaG5O9ph2BBeySVadOSGRjLCEBADZbt7oKNfCcz_C8DJ4XbOi_mdmcYNkN_1ucIdkTtvxjIbtxTwq1NnI59m2Vw7L-biNXcNyF4FvyPElzll36svR6RBHdJMLGVtfb6I/s288/iphone_photo.jpg' border='0' width='200' height='120' style='margin:5px'></a></center><br /><blockquote>Security experts at Doctor Web have discovered a new PoS Trojan dubbed MWZLesson that borrows code from other popular malicious software.</blockquote><br /><br />The DrWeb article states that "The new PoS Trojan, dubbed Trojan.MWZLesson, was designed reusing the code of other popular malware, including the Dexter PoS and the Neutrino backdoor.".<br /><br />This Blog covers interesting malware and logging tips, but even the malware analysts are seeing what I have been saying for several years. Malware repeats patterns, artifacts, methods and clearly, code reuse.<br /><br />If the retailers, IT and InfoSec staff would start practicing Malware Management, or any organization for that matter, they could be in a good position to detect any variants of similar malware or code reuse as the lesson to be learned from the latest MWZLesson POS malware shows us.<br /><br />This concept is taught in my Malware Discovery and Basic a Malware Analysis training as it was pivotal in detecting APT I have dealt with in the past.<br /><br />Seriously consider practicing Malware Management before the malwarians show you why you should have been doing it.<br /><br /><a target="_blank" href="http://news.drweb.com/show/?i=9615&lng=en&c=5">DrWeb article on MWZLesson POS malware</a><br /><br /><a target="_blank" href="https://malwarearchaeology.squarespace.com/analysis">Various Malware Reports and Analysis</a><br /><br /><a target="_blank" href="https://malwarearchaeology.squarespace.com/mmf/">How to begin using the Malware Management Framework</a><br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-25187677897042052132015-09-06T09:57:00.001-05:002015-09-06T09:57:13.289-05:00New Banking malware 'Shifu' proves Malware Management works!<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf_ruS39f2cC9bGmK52q2TSqo0eNulzK4gAeOJvkHINOYs7XkBrneNtkWqrCH3TcJF046QJC5tZNsziCz9gguUyR-S1j77Eu6141zGneu5ehi1tIgyJEo-_fzPNF0Qkv1erljybAgOdH0/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf_ruS39f2cC9bGmK52q2TSqo0eNulzK4gAeOJvkHINOYs7XkBrneNtkWqrCH3TcJF046QJC5tZNsziCz9gguUyR-S1j77Eu6141zGneu5ehi1tIgyJEo-_fzPNF0Qkv1erljybAgOdH0/s288/iphone_photo.jpg' border='0' width='280' height='186' style='margin:5px'></a></center><br />IBM's Security X-Force team has released an initial report on a new malware named 'Shifu' that uses methods in several other known malware currently compromising banks in Japan.<br /><br />The lesson to learn here is that it uses similar traits or functions of other know malware. The report lists the following traits from known malware:<br /><br />Shiz - Domain Generation Algorithm (DGA)<br />Corcows - Theft from Bank Apps<br />Gozi - Stealth hiding techniques<br />Zeus - Anti-Sec avoidance<br />Dridex - Config using XML<br />Conficker - Wipe system restore<br />Dyre - Self signed certs<br /><br />This blog has stated that Malware Management should be practiced just like we practice Vulnerability Management. The benefits are that malware uses patterns over time that allows you to look in places or for artifacts and indicators that other malware have already used, thus making Malware Discovery easier each time you do it, improving results.<br /><br />I look forward to the detailed report by the IBM Security X-Force team and HOPE they publish the artifact details we Active Defenders and Incident Responders need to discover this malware or similar types of malware in our own environments.<br /><br /><a target="_blank" href="https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/">IBM Trusteer intro on Shifu malware</a><br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-42545640764058015032015-09-02T12:33:00.001-05:002015-09-02T12:33:59.155-05:00Symantec just proved Malware Management works with Regin update<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglK8NNYITpC30C10zflMTKrPGnBenQp7K-ZI2rrllrShUKvE77WoPWa9ssG3VDQSE74389RsHjqdsOI2Bj77mtBSVapLLyQJCQ6bE71a7a-ZwJP3-gvsn_qouGle4umcTZIGnTHYA5Wfo/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglK8NNYITpC30C10zflMTKrPGnBenQp7K-ZI2rrllrShUKvE77WoPWa9ssG3VDQSE74389RsHjqdsOI2Bj77mtBSVapLLyQJCQ6bE71a7a-ZwJP3-gvsn_qouGle4umcTZIGnTHYA5Wfo/s288/iphone_photo.jpg' border='0' width='200' height='123' style='margin:5px'></a></center><br />I have blogged about Malware Management and Regin before and how it can improve your Information Security program, Malware Discovery, Active Defense efforts and improve your Malware Analysis. Take reports published by AV companies, IR Firms, Bloggers like 'Malware Must Die' and here of course, read them, pull out the artifacts, or IOC's if you must and apply them to all the above.<br /><br /><blockquote>
Symantec is aware of two distinct versions of Regin. Version 1.0 appears to have been used from at least 2008 to 2011. Version 2.0 has been used from 2013 onwards, though it may have possibly been used earlier</blockquote><br /><br />In the Fall of 2013 Symantec and others published details behind the Regin malware, see links below. Thanks to Symantec publishing an update in August 2015, "Regin: Top-tier espionage tool enables stealthy surveillance", they just proved if you had read the first Regin malware reports, you would have been well on your way to detecting any updates or similar behaviors if you were unfortunate enough to contract the malware disease known as Regin or similarly crafted malware.<br /><br />You would already be watching for things like:<br />* New files being added to \Windows, \Windows\Fonts, \Windows\Cursors and \Windows\IME<br />* New files being added to \System32, \System32\Config and \System32\Drivers<br />* Auditing certain Registry Keys<br />* Auditing for files that have NTFS Extended Attributes<br />* Filename extensions<br />* Large Registry blobs (Size does matter)<br />* Software\Classes Keys for new entries<br />* See the report Appendix for more details<br /><br />Several of the locations and techniques found in Regin I have seen in other APT and even some in commodity malware. So if you start reading these reports and taking the data and acting on it, you are in essence practicing Malware Management and improving your Malware Discovery, Active Defense and Information Security program. Not to mention if you analyze malware, you have a better idea of what to look for and where.<br /><br />Early reports and Symantec's update to Regin:<br /><br /><a target="_blank" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf">Symantec Report on Regin</a><br /><br /><a target="_blank" href="https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/">The Intercept article on Regin</a><br /><br /><a target="_blank" href="https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf">Kaspersky report on Regin</a><br /><br /><a target="_blank" href="https://www.f-secure.com/weblog/archives/00002766.html">F-Secure report on Regin</a><br /><br />Happy Hunting everyone, Malware Management ROCKS!<br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.comtag:blogger.com,1999:blog-4959410943781832320.post-49378848381448920652015-08-17T09:45:00.001-05:002015-08-17T09:45:59.405-05:00Size DOES matter when it comes to Registry Keys<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiARJB9z7j2JIkDcM1cmrOVru_0m95bAPeFY_GCbEDxO5AMXzOdxchuQx9BEiq6z5mgqhsw3FV68V82ASPLoIQ-8cfHzHAXklDheosqoXBRDCjUvrWJbWZp7RTncuyO7mmEAJRn6mhwg_o/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiARJB9z7j2JIkDcM1cmrOVru_0m95bAPeFY_GCbEDxO5AMXzOdxchuQx9BEiq6z5mgqhsw3FV68V82ASPLoIQ-8cfHzHAXklDheosqoXBRDCjUvrWJbWZp7RTncuyO7mmEAJRn6mhwg_o/s288/iphone_photo.jpg' border='0' width='200' height='56' style='margin:5px'></a></center><br />I just LOVE when a Twitter conversation turns into a new tool! It is a perfect example of collaboration and how the community can ban together to solve a need.<br /><br />That happened last week when Austin's own @dnlongen read a blog post from @codereversing about hiding malware in Windows registry keys and mentioned that he first heard it from me ;-)<br /><br />In the following tweets I pointed out how the majority of registry keys are below 20k and easy to filter out the normal noise to find a hidden payload. I was involved in an event that had a 250k payload hidden in the HKLM\Software\Classes key and the size of the key was a dead give away. It led us to finding a couple other hidden payloads in other parts of the registry on various systems allowing us to harvest and detect additional infections.<br /><br /><center><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaw3Z2Q9qKcGVWCUFVt2dJ-Fq1aGRbP0ep-hcTHUplenRtYNECMhojfd4fIZV7PAkHg5xmYtRyqepthXIhr_E0Rjk1boKRwlReqE9kI-U8BFZwT7jK7aYx-dfIaHv0peOgWXI27iTX1hc/s288/iphone_photo.jpg'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaw3Z2Q9qKcGVWCUFVt2dJ-Fq1aGRbP0ep-hcTHUplenRtYNECMhojfd4fIZV7PAkHg5xmYtRyqepthXIhr_E0Rjk1boKRwlReqE9kI-U8BFZwT7jK7aYx-dfIaHv0peOgWXI27iTX1hc/s288/iphone_photo.jpg' border='0' width='280' height='116' style='margin:5px'></a></center><br />Nirsoft makes a GUI tool called RegScanner that allows you to scan the registry for keys based on size. Unfortunately it is a GUI tool and that can not be easily scripted. What we need is a command line based tool that can be scripted to look for large registry keys and whitelisted normal keys.<br /><br />In the following tweets @dnlongen announced a python script named "RegLister" which can be found here:<br /><br /><a target="_blank" href="https://github.com/dnlongen/RegLister">RegLister - Registry key scanner by size</a><br /><br />@dnlongen added a whitelist and size tweaks after I inquired, and now there is a new tool to help you Hunt the Malwarez.<br /><br />GREAT JOB @dnlongen!!!<br /><br />#InfoSec #MalwareArchaeology<br />Hacker Hurricanehttp://www.blogger.com/profile/02277577209226007877noreply@blogger.com